Half-Elf on Tech

Thoughts From a Professional Lesbian

Category: How It Is

Making philosophy about the why behind technical things.

  • Appreciation

    Appreciation

    I’m not often speechless but today, I was.

    Since I retired from Plugins, it’s been really quiet for me. Which is the way I like it. I still sit on the sidelines, happy to advise and dredge up old history. I covered a couple exceptional cases with developers who were on the verge of being banned (and happily managed to get one on the right track). But the only plugins I reviewed were for work or myself.

    Today, working on some in-depth learning (because we’re always learning), the doorbell rang and a large package was delivered. My wife asked if I ordered a frame for some art we’re thinking about hanging, but I hadn’t. As soon as I opened it, I caught a glimpse of a drawing by Ben Dunkle, which has hung in various places in my office since my very first WordCamp San Francisco.

    I must have repeated “What!?!” a dozen times as we unwrapped it and saw this:

    An "album" that shows a drawing of me with the title "Mika Epstein - A Retrospective" -- Album notes are in the text below.

    Greatest Hits

    • 9 Make Teams Contributed
    • 83 Core Contributions
    • 2,823 Make Posts
    • 29,094 Plugins Approved
    • 57,094 Plugins Reviewed
    • 138,935 Replies Sent

    I know that WP Release leads get things like that after their ordeal is through.

    I was, in no way, expecting anything like this.

    To Matt and all, you are very welcome. And this is appreciated in a way you might never understand, but I am touched from the bottom of my heart.

    I never actually counted how many plugins I reviewed over the years… And that doesn’t even touch on the myriad closures, re-openings, and transfers.

  • It’s Not About the Money

    It’s Not About the Money

    I left Twitter last year for a very personal and specific reason. That reason? They refuse to protect anyone.

    There remains a number of humans on Twitter who delight in harassing, blasting, humiliating (trying …), and vilifying me. One of whom was actually (briefly) banned. And it was rough enough before the new regime, who has made things objectively worse. Not a little worse, a lot worse.

    I went over to Mastodon and I have no regrets. It’s much nicer, even though there are some flaws (spam at the moment, but also some gatekeeping and racism that needs to stop). For example, on Sunday recently, I posted how I don’t believe in AI. I am my father’s daughter, after all, and there is nothing intelligent about what we’ve created, save in our own. The machine does not think, it does not innovate, it keeps to what it knows.

    On Mastodon? That got a lot of nuanced conversations. On Twitter I had to be handy with the block button.

    Now no social media is “great” for the soul, but Twitter has been doing a dumb ass speed run and hurting as many people as possible.

    Dangerous Minds

    On April 8th, Twitter removed the language in its hateful conduct policy that explicitly protected transgender people from online harassment. 

    Prior to the rule change, Twitter’s Hateful Content Policy stated:

    We prohibit targeting others with repeated slurs, tropes or other content that intends to dehumanize, degrade or reinforce negative or harmful stereotypes about a protected category. This includes targeted misgendering or deadnaming of transgender individuals. In some cases, such as (but not limited to) severe, repetitive usage of slurs, or racist/sexist tropes where the context is to harass or intimidate others, we may require Tweet removal. In other cases, such as (but not limited to) moderate, isolated usage where the context is to harass or intimidate others, we may limit Tweet visibility as further described below.

    It now is:

    We prohibit targeting others with repeated slurs, tropes or other content that intends to degrade or reinforce negative or harmful stereotypes about a protected category. In some cases, such as (but not limited to) severe, repetitive usage of slurs, or racist/sexist tropes where the context is to harass or intimidate others, we may require Tweet removal. In other cases, such as (but not limited to) moderate, isolated usage where the context is to harass or intimidate others, we may limit Tweet visibility as further described below.

    They removed a key number of words.

    1. dehumanize
    2. misgendering
    3. deadnaming

    This removal of stated protections happens at the same time Florida is banning drag shows, health care for trans youths, and more.

    Be Judged By Your Actions

    This is a technical sort of blog, I know. But this overlaps into that, so hold on a second.

    People will judge you by your actions. If you treat people like dirt, you will be seen as an asshole. If you’re Jewish, you’re likely familiar with the saying similar to “If someone sits down at a table with 11 Nazis, and doesn’t leave, you now have 12 Nazis.”

    The point being, your action of giving money to someone’s company when you are aware of their transphobic, homophobic, antisemitic, hate-filled actions, we are all going to look at you like you’re an asshole too. And when you allow those people in your community, you’re saying “I’m okay with these people who dehumanize others.”

    Now, how does this relate to tech, besides Twitter being a tech company?

    Take a LONG hard look at Twitter right now. See how many people are being unmitigated assholes to the users, and see that nothing is being done to stop it. Got that image in your head?

    Awesome. Now. What are YOU doing to stop it in YOUR products?

    I talk about how tech is open to being abused so much because, thus far, we have done very little to actually protect anyone. I mean, you tell me how you can block someone who could spin up a hundred accounts in minutes, just to email you and be a jerk? There are, of course, somethings you cannot stop but think about it this way…

    If someone came to your home to harass you, there are resources (cops, for example). It someone’s harassing you on Twitter, you go to Twitter support, right? They do nothing, which means they have a product and they don’t care about you. Hell, Twitter will tell you that someone telling you to that you deserve to suffer is fine, but will ban you for telling them to jump in a volcano, because you made a death threat.

    Not a joke. Happened to a friend.

    There aren’t laws that properly cover online abuse. They’re aren’t. Don’t get me started. But that means the responsibility is on US, the creators of the tools. I’ve said it a million times, if you make a forms plugin and do not take time to figure out ways to allow people to protect themselves, you failed. Look at how much custom code I’ve had to make just to get people to leave me alone!

    If your code won’t protect me, I won’t use it because it’s not safe. And when you side with people who categorically make things unsafe, well, now I don’t trust you.

    Stand By What You Believe In

    Someone’s probably going to ask me how far I go with this. I’ll put it this way. If, tomorrow, Musk ‘bought out’ WordPress, I would quit my job and start over with anything else. And I’d have to think about what to do with my websites.

    At the same time, if you’re still using Twitter as a non-paying user? That’s your call and I won’t think ill of you for it. There absolutely are some communities that only exist on Twitter, and moving them is a pain in the ass. I feel this way about Facebook, I hate it and I hate how it treats people, but I understand it’s a necessary evil. I wish it was easier to move everyone elsewhere, but not all products are built like WordPress.

    That’s the nice thing, I think. If, tomorrow, I had to quit WP, I really do have options! I can export and migrate! Because WordPress lets you own your data. But that’s another post.

    And contrary to what some people may think, I am absolutely in support of paying for social media! I donated to my Mastodon host (I just switched so I have to set things back up again) because a couple bucks a month for enjoyment is something I can afford.

    I’m opposed to PAYING to be treated like a second or third class human, and I absolutely judge you when you do pay them.

    Listen and Protect

    Here’s my advice and it starts with a story.

    Back in 2010 or so, there was a courthouse in Franklin County Ohio that had a glass staircase.

    Why is that a problem?

    Go put on a skirt while I stand underneath and tell you what color your underpants are (if you wear them).

    That’s a damned obvious problem to anyone who regularly wears skirts and dresses. Why didn’t the courthouse think of that? Men probably designed it and didn’t ask or didn’t listen until the Judge saw it and got pissed off.

    In order to make things safe, you have to listen to people. If a skirt-wearing human comes up and says “Hey, this is bad, people can see my panties” you shouldn’t do what the Courthouse did. They had a guard there to warn women, which is not a solution, and said they’d hope people would be mature … That is not listening, and it sure isn’t protecting.

    What they could have done is change the underside of the glass to reflect, or put a film on, or cordon it off so people can’t stand underneath. But instead they went “meh.”

    If you go ‘meh’, you’re the problem folks. You didn’t listen, and when the opportunity arose, you didn’t help.

    So. Listen. Think about what it means to someone else. Have empathy. And then code with that empathy.

    And spend your bucks with that empathy too, by the way.

  • Why We Hate Your Security Reports

    Why We Hate Your Security Reports

    I was having a day where a bunch of security reports were dumped in my lap. There have been days where those have been hundreds. Thankfully this wasn’t, but it did make me sit back and think about why I hated so many reports.

    In general, everything can be summed up as “The person reporting doesn’t provide all the relevant information.” Sometimes they don’t know, and that’s okay. People don’t learn by osmosis, they have to be taught. But a lot of the people submitting reports do know and just don’t. And the real crux of it all? People aren’t explaining why things matter.

    Let me explain…

    The Uninformed

    These are the people who report an app and say “It’s this app because I installed it and I was hacked.” Another variant is “It’s this app because that’s where the hacked file lives.”

    And the email will have no other information. With those, I have to explain not only are they probably wrong, but I have to dig and get at the information.

    • Why do you think it’s this app?
    • Do you have any evidence?

    Those are pretty basic questions at the heart, but it’s on me to explain why correlation isn’t causation, and just because (say) Hello Dolly was infected does not mean that it was vulnerable.

    This has no solution other than education. I dislike those, but since most people are pretty cool about it when I explain how I know it’s not the app they think it is, it’s okay.

    Semi-related are people who email us security logs from their services, and those are always messy, since it’s information without enough context. Which I’ll get to in a minute.

    The Too Terse

    Sometimes reports are explanatory but not enough. “It’s an XSS in this app.”

    Now, the good news is I know what I’m looking for. The bad news is that someone who actually knows what the issue is has decided to not share, which means I now have to figure out how they figured it out. It used to be I’d do that, but then they’d email back all snarky and bitchy that I didn’t find the one they found. Nowadays I push back. “Can you please provide details?”

    That has a weird hit-and-miss. Sometimes people are pretty chill and explain. The majority do what I think of as a pre-teen eyeroll. You can actually tell they’re huffing in annoyance that someone dared ask them to unpack what was in their heads.

    To put this differently, have you ever had someone say “Hey, the website’s down.” and just … not give you an error message? You know how maddening that is? Right that’s what we’re talking about.

    The Non Explainers

    You’d think this is the same as Terse, but it’s not. The non-explainers don’t explain WHY something is a security issue.

    I know, someone’s reading this going “Hang on, but if I tell you it’s a SQL injection vulnerability, and where it is, isn’t that enough?” And the answer is, most of the time, yes! The people who give a great proof of concept, with exactly how to replicate it, in clear English, are my favourites. They break down how things happen so you can see “Oh that’s why.” But… When they don’t, it means someone (read: me) has to go and figure out “Okay, why is this bad, and how bad is it?”

    The Hater Reporters

    I can’t believe I had to add this one in, but here we are in 2021 and there are some ‘security reporter firms’ who think the best way to report an issue is

    1. make it public
    2. attempt to make other people feel bad
    3. dogshame developers

    For them, the only way forward is their road or no way at all, and they cannot be reasoned with. Eventually someone will sue them for releasing a 0-day vulnerability without even trying to privately disclose first, and when that happens, I’ll make the popcorn.

    The Issue Is Education

    If you go back through, you can see the real issues are people not unpacking what they actually know and sharing in a digestible manner! And this is terribly endemic of security companies more than anything else.

    For example, recently a security company reported a local file inclusion (LFI) issue. Now for those who don’t know, the issue is the code in question could be used to include any file on the server. Including a hacked file. But if someone just told you “Hey that’s an LFI and you’re bad!” then, even if they take the time to tell you where the issue is, if they’re not explaining to you how it’s exploitable, you may not know!

    And then, even when people explain it, they explain as if they’re talking to a developer of their caliber. I certainly am, but the people I’ve got to pass the report to (the actual devs) are not always. Even when they are, sometimes they’re total berks who will snark that it’s not worth the time to escape things at that low a risk.

    Understanding Risk

    Security is massively important but the reality is that it’s not the first thing on most people’s minds when they write code (sorry folks). Usually people concentrate on making the code work first. Then, once it works, they go back to make it safer. I’m not casting aspersions here. There’s nothing wrong with making it work first. The issues begin when people don’t take security with the proper seriousness.

    Just the other day I saw someone who had to be told that yes, you always escape content you’re echoing. Why? Because users are humans, and humans do some really stupid things. Even if you think of yourself as average, that means roughly half of your users are not as smart as you, which means that half is who you’ve got to look out for. You sanitize content you save, you scape content you echo. All. The. Time.

    And yes, I’ve seen people who are experienced developers, people with plugins whose user count is in thousands, reply that it’s not needed to escape because … it’ll make their code slower.

    Sometimes I tell people “This is why I drink.”

    Proper Education

    Now. Part of this is on the community/company. WordPress, where I do a lot of work, has decent documentation about security. In fact, as of late WordPress’ docs have been phenomenal about this!

    Here’s what the plugin dev docs say about nonces:

    If your plugin allows users to submit data; be it on the Admin or the Public side; you have to make sure that the user is who they say they are and that they have the necessary capability to perform the action. Doing both in tandem means that data is only changing when the user expects it to be changing.

    Now. That kind of explains why you want to do this, but does it explain why it’s needed for security? Only from a high level. For the crux you have to scroll down a little:

    The capability check ensures that only users who have permission to delete a post are able to delete a post. But what if someone were to trick you into clicking that link? You have the necessary capability, so you could unwittingly delete a post.

    Now that makes a lot more sense, right? That is a good doc, assuming people read it.

    And look at the bolded intro for escaping:

    Escaping means stripping out unwanted data, like malformed HTML or script tags.

    Whenever you’re rendering data, make sure to properly escape it. Escaping output prevents XSS (Cross-site scripting) attacks.

    Whenever. Not sometimes, not when it’s convenient. WHENEVER.

    And yes, this means every single time you echo anything as a variable, you damn well escape it. No questions asked.

    But when I say proper education, I mean in explaining why a specific issue is, in fact, an issue.

    Communication Is Queen

    If you’re a regular person who sent a report you weren’t sure about, you’re fine. This next bit is not about you. This is about security experts and other developers.

    Did you contact developers, privately, about issues with their code? If you’re a security company, do you have documentation on your site to explain how something in an XSS or LFI vulnerability? Did you explain in the contact why something is a risky LFI? Did you take a minute to share a Proof of Concept to illustrate how you knew something was a risk? Did you describe why and how the POC shows the risk?

    That’s what you have to do.

    You want other developers to be better and to write better code? Then you communicate, clearly, and take time to ensure what you’ve said is understandable by the recipient.

    I hate your security reports because they’re not reports at all. They’re dumping a problem on someone else and not giving them the tools to progress. You’re expecting them to do all the work you already did, which by the way is a waste of everyone’s time. It wastes my time because now I have to do everything you already did, and it wastes yours since I’ll probably ask you for the details.

    But. If you start with a private, polite, report of “Hey, I found this. Here’s how and here’s why I know it’s an issue.” then you, you my friend, are heroes. You’re actually making the entire world better for everyone.

    Thank you.

  • Failure to Protect

    Failure to Protect

    Something I knew would come up after I posted about my ongoing harassment is the question “How do we fix this?”

    Now, the cause of all this actually can be boiled down to two things:

    1. A systemic failure of social services to help those in need
    2. The overall lack of awareness of how tools are abused

    I can’t really fix the first one. The world is broken on many levels and the fact that people in pain and anger have no help, and thus lash out in anger at me, at you, at people who write code, at people just trying to help … That’s all of us. We need health care (physical and mental). We need fair and equal pay. We need a living wage, not a minimum one where companies literally pay you that because they don’t have to treat you like a human.

    That one is huge.

    But the other problem? That’s why I posted.

    How Can Code Be (Ab)Used?

    When we write code, and this is pretty much all of us, we’re trying to solve a specific problem. Sometimes that problem is huge, with multiple layers and facets and complexities that make us look like a scene from “A Beautiful Mind.” If we’re lucky. Usually we look like this guy”

    Charlie from "it's always sunny in philadelphia" in front of a conspiracy theory wall.

    Regardless of how twisty-turney our code is, though, at the end of the day the question many of us forgot to ask is “What’s the worst thing someone can do with our code?”

    Let me give you an example.

    “What’s a bad thing someone can do with Akismet?”

    Right? It’s an anti-spam plugin that checks via a closed-API (meaning, I have no idea how it works) so it’s not easy at all to abuse, you might think. Well, without any forethought, the very first thing that comes to mind is I could write a bunch of clearly spam comments, spin up my VPN, and use someone else’s email address to leave spam comments on a hundred or a thousand blogs. That would get the email flagged and they’d probably have to constantly struggle until they figured out why, if they ever could. All they’d know is their comments never show up. Give me a couple hours and I could automate that, set it out into the world, and reap the joy of annoying someone.

    I’m fairly certain I just screwed up someone’s day with that, by the way. Sorry/Not Sorry friends over at Akismet. Because that’s my point. If Akismet has not already sat down and made a list of all the shitty, terrible, vile things someone could do with their product, they’ve failed to fully protect its users.

    Disruption Makes Harassment

    When we build to ‘disrupt’ we do so with the knowledge we’re breaking the system. Sometimes we’re breaking it stupidly, like “Uber is disrupting taxis!” really is “Uber figured out that people would rather know what they’re going to pay, and wanted an easy way to hail a gosh darn taxi in the first place! Let’s go!” And yes, I have a low opinion on the ideas to ‘revolutionize’ the bus system (spoilers? invest in public transportation, not privatization).

    The thing is, we continue to attack a single, specific problem. Big, large, whatever, we’re solving a thing.

    But the problem with this is our disruptions create opportunities for harassment.

    Did you get a delivery from Instacart or DoorDash? They know where you live and what you eat. Those are all known risks of course. Could someone roofie my food or tamper with it? Sure! Now the solving of that falls onto the people who package the delivery. Restaurants will tamper-proof seal their deliveries, but that’s on them. What did DoorDash do? Nothing I can find. Instacart? Most of their stuff is pre-packaged, but if you get fresh fruits etc, gosh they could. It’s like those stupid Halloween rumours we heard growing up. None were true, but …

    Uber received 235 reports of a rape occurring during a ride in the United States in 2018. Those are the numbers of reported cases, provided by Uber. Remember, rape is wildly underreported in the US (probably everywhere). Now think about all the information an Uber driver has on you? They know where they picked you up, they know where they dropped you off, and they know your name. And they can get your phone number.

    All those great innovations? Actually yes. They’re really helpful to people! Calling a car to your door that’s more reliable than a Taxi? Hell yes! But they are incredibly easy to use to harass someone. Of course they require you to be in the same general location, but still. What are they doing to make us safer? What about the drivers? Someone I know quit driving because the guy wanted her to drop him off inside a super suspect parking lot. She dropped him off outside. He called her a four letter word that starts with a C.

    Social Media Makes Monsters

    I’m sure I don’t have to list out the problems with social media. If someone harasses me, I block them, but they can make a new account and a new account and a new account. They can get a VPN and a fake email, and we’re always and forever behind the 8 ball catching and stopping.

    Why do Facebook moderators have PTSD? Why do content moderators on YouTube have to sign a waiver agreeing that they know their job may case mental breakdowns, and it’s not YouTube’s fault?

    And the answer here is because our solutions are HUMANS.

    We disrupted communication, but we opened the door for harassment because there was little to no forethought put into how to protect anyone. In fact, I bet I know how the conversation went (spoilers? I had this conversation with someone):

    “Hey, someone could make a hundred fake accounts all to call someone a jackass.”
    “Yep. No point trying to stop that. We block ’em they’ll just make new accounts.”
    “Yeah, good point. Okay, next item on the agenda? Bots!”

    Oh yeah, Bots totally extended from that problem. I used to use something called Block Together to catch and block bots and spammers and harassers, but the fact that it shut down and Twitter never made anything better is … well it tells a story, doesn’t it? Can anyone tell me what Twitter’s done?

    Well they, and Facebook, claim to be using machine learning to find and track abuse, but here’s the funny thing. I have a friend who has been permabanned from Twitter for telling someone to jump in a volcano. The claim was she was violent and sent a legitimate and plausible threat. About a volcano. Which she does not own. I mean, do any of us? it’s not even that it was a bad joke about suicide, it was flagged as a violent threat.

    Want to know how that happens? It’s easy. She tells a man to shove it, he and his friends mob-report her, Twitter’s AI decides “Gosh, if all these people flagged her, it’s real!” and ban her. No appeals. Done. And this story is repeated over and over, that the AI caught something (people talking about black and white chess pieces was pretty recent), banned someone, and that’s the end of it.

    All this is not to mention the ongoing racist and sexist biases of AIs, like how Asian people can’t use FaceID, or how Google’s AI labelled black people as gorillas? All of those things come down to the problem of people with biases (which is a systemic issue related to the failure of social services) building AIs and not thinking about the abuse therein (which is … an us problem).

    To put this a different way, we’ve been fighting spam in email since email was born, and everyone still gets some in their inbox. If we can’t win with that? We’re never going to win with an AI and abuse.

    Democratizing Abuse

    Now, I’m going to say something controversial.

    WordPress democratized abuse.

    I’m not talking about WordPress.org and the forums and plugins and themes. I’m talking about your blog. If you have comments open, what’s to stop someone from leaving comments pretending to be you? Heck, if you have comments open, what’s to stop someone from leaving comments pretending to be ME? How do you ban someone from your site? How do you ban them from a network? How do you stop them from making an account or email one after another and using your contact form to be a jerk?

    I have 10+ rather insane messages from a contact form that tells you that even for me, someone who is pretty much awesome at WordPress code, this is not easy. For a long time, you couldn’t filter contact form messages to block spammers on Jetpack. How long? Well I opened the ticket in 2014, so it was a long time until 2020, when someone else made a new ticket about.

    Is all this WordPress’ fault? Absolutely not! I don’t have to have comments on most of the time, or a contact form. You’ll notice I have neither on most posts on this site, and it’s for a reason. Abuse and harassment. In fact, WordPress gives me the agency to both harass people via my blog (if I wanted to) and protect myself from the harassment by others. That’s a fun one when you say it out loud, ain’t it?

    WordPress is a weapon, like all websites. When wielded by the good and just, it’s a weapon for good and justice. When it’s not? Let me just point out that there are a lot of ‘revenge porn’ type sites out there, powered by WordPress. And again, none of that is WordPress’ fault.

    We built WordPress to make it easier to publish whatever we want, whenever we want. We build features and plugins and themes to share stories. Not all of those stories are good. Some of them are abusive. And while there are already laws out there about it, technology is a massive whole of lawlessness where the laws can’t be applied.

    We’ve all heard “Guns don’t kill people, people kill people.” Some of you even know the common retort “Guns make it a heck of a lot easier, though.”

    WordPress isn’t the harasser, but gosh it makes things easier. And if that doesn’t give you chills and nausea, you’re not paying attention to the world. It sure scares the snot out of me.

    The Open Consequences Net

    I have to preface this bit with the fact that I don’t believe in ‘Cancel Culture’ but I do believe in consequence culture. Do I think you should be ‘canceled’ for telling a single off-colour joke 5 or 10 years ago? Hell no. But do I think you should be canceled for telling multiple jokes, being a defensive jerk when called out on them, and showing your literal penis to people? Hell yes.

    Actions have consequences. Or at least they should. And the problem we’re facing is that by making an Open Internet, which I’m in full support of, we failed to put in any way to enforce consequences. Everything is silo’d so I can ban you from site A or B, but not C or D. Worse, because you can make another email or get a new IP, I cannot permanently ban you forever, just from each account.

    Whack-a-Mole gif of someone ... whacking a fake mole that pops up in a game.

    Basically? We built something so wild and free and open, we cannot contain or control it anymore.

    Can We Fix It?

    This is the part where I tell you how much I hated making this post.

    See, I have no idea. Seriously.

    Even if we make the internet ‘invite only’ (as if that was possible), it’ll still be abused. But I don’t think that means we should do nothing. I think we’re not doing enough to make it difficult and hard for abusers and harassers to get a foot in the door. We’re making it so the only way people can protect themselves is to simply not be social online. Given the pandemic, I suspect you can all see why that’s a flawed prospect.

    Everything we need to do needs to be balanced. For example, it’s easy (and probably right) to say we need to begin to disrupt ‘anonymity’ but… What about people who can’t say who they are for fear of retribution? I immediately think of all those kids out there who are terrified for their ultra conservative, homo-hatin’ family members to find out they’re queer? They should be allowed to be anonymous and learn that there’s a world out there who loves them.

    I do like to bag on Twitter and Facebook for their lack of nuance when it comes to handling harassment and abuse, but I am also a realist. At their scale? How the hell do you tackle things? The only answer is really to throw more humans at it which would make more jobs, but it’s some of the most soul destroying work you’re ever going to do. And they don’t see it as a beneficial investment, so they’re not going to pay the people who do this a solid wage, with great health care, rotating them in and out so they don’t flame out.

    Proof? Okay. Read what happened to WangGuard.

    WangGuard worked in two different ways: as an algorithm that I had been refining for 7 years, and which was getting better as the sploggers evolved, so that it was always one step ahead of them, and also as human curation, in which I reviewed many factors, among them sites of sploggers to see if their content, could improve the algorithm and make sure that it worked correctly both when it was blocking or not blocking a site. The great secret of WangGuard was this second part. Without it WangGuard would not ever have become what it was.

    This human component is what I have been doing for 7 years, and also what has led me to close WangGuard (along with other considerations that are not relevant).

    Why WangGuard was Closed by Jose Conti

    And I have to agree with Jose, doing that job eats at your soul. The ‘fix’ is to change the world, and that’s just exhausting.

    What Can We Do?

    When you make a product, ask yourself “How can this be abused?” If you can’t think of anything, look around the room of the people you’re working with. Are they all from the same ethnic or socioeconomic background as you? Get people who aren’t. Get minorities in the room. Get PoC, get women, get queers, get kids. Get people who didn’t go to college, those who did, those with and without children, those from other nations. Get them and ask them “Hey, what’s the worst thing you could do to someone else with this?” Ask them “Do you see any flaws?”

    And then? Listen to them. If women tell you “That’s going to make it impossible to stop people from sending us dick-picks” take it seriously. But for the love of Pete the Plug, take them seriously.

    This means we are all going to have to accept when we’re wrong, when our ideas have flaws, and learn from those moments. It’s hard! We don’t want to hear our great idea is screwed up, but sometimes it is.

    We’ll never change the world for the better if we cannot change ourselves.

  • Bad Actors: Block or Not?

    Bad Actors: Block or Not?

    So here’s a fun question… Say you’re being harassed or bothered by a single person. Do you block them?

    This should be a simple answer, right? Obviously block. If you block, you don’t have to see them, they can’t get to you, it’s great. Except, as anyone who’s been harassed will tell you, if the person is particularly an asshole, they will make more accounts with which to try and contact you! I’m not joking when I saw my particular headache has used over 100 separate emails. Even if you report them to the email services as soon as possible, some will tell you “There’s nothing we can do to prevent abuse.”

    That’s a different issue for another post. This one is … do I block or not?

    The ‘dude’ in this story is an amalgamation of at least five separate men, all of whom did the same thing, and all of whom claim to be ‘woke’ feminists. No names are mentioned nor will they be, but I suspect they’ll see themselves…

    The ‘splain Drain

    There’s no way around this one, and some people I know on Twitter do this. If you block people on an account, they use another. I’ve blocked people for being perpetual mansplainers. Like someone who was offering advice on how to travel after it was mentioned a friend and I were going to a specific location he was familiar with. Now, you’d think “Oh but he meant well, right?” The problem was he had a history of un-thinking hot-takes. We were going to a specific convention (not WordCamp) and we knew we’d be working that con basically 12 hours a day, making notes, recording interviews, and so on. Our goal was not to to that town and party, it was work.

    The advice? Lots of places to have fun, how to handle working conventions, etc etc.

    Now. Anyone who actually knew us and followed our tweets knew that my friend and I had all that locked down. We’ve worked cons before, ones way the hell bigger than this one, and we knew how to handle ourselves. We knew how to optimize our packing, how to prioritize, and we were not asking for advice or help. Simply, we said we were excited to go to this event.

    Again, you could think “Oh but he meant well.” The thing was, he took zero time to read the room. He didn’t scroll back and see the older tweets, he didn’t see any of the conversations prior. He saw one moment, and jumped in. All of the other comments were about who we were going to meet/interview, how nice it would be to be at a convention like that, tech talk about devices and charging and packing and carrying. We weren’t going to go to party, we weren’t going to go to fancy restaurants. We had jobs.

    If you’re a woman in tech, you’re tired of that behaviour. Because now it’s suddenly your job to roll back, re-explain everything, and thank this person for their time but you’re good. And I have to tell you, it’s exhausting to do that over and over and over. I cannot begin to tell you how many times my reply to someone has been “Thanks, but per the discussion, we’re doing X. Please re-read the whole convo.”

    It is an ongoing, perpetual drain that men (and yes, I do call out men here) jump in with ‘help’ without giving anyone the respect and time to actually read the freaking room. They don’t do the research, they don’t read the scroll back, they don’t even ask “Is this all sorted out or can I help?” They assume that you need help, and they believe they’re the one to do it.

    Mute Them

    I’m sure a lot of guys I know are pissed off at me right now, but guess what buddies? That’s why I mute a lot of you. Some women too, yes, and if a single one of you idiots jumps in with ‘not all men!’ I will escalate and block you, because the ‘all’ isn’t the point. The point is that a majority of men (especially in tech) do this. They are the Hero. The Saviour. The Champion. They can help YOU!

    So when people, of any gender, jump into my timeline and offer advice where they clearly have not read a blessed thing, I mute them. The guy I’m talking about who mansplained? Wanna know what he did? He kept on explaining how he was trying to help. My friend told him “Thanks but no thanks.” and I didn’t reply at all, but he went on. So I blocked him. And that sucked, because he was someone I did like as an acquaintance. I’d even gave him asked-for advice to get a better job. He has one now, and I’m happy for him.

    Anyway. Blocked him, moved on, and a couple years later he had yet another hot-take which was also entirely wrong. It really doesn’t matter what the subject was, but what matters is I was complaining about a stupid part of a contract that told me I was to do thing A in advance of a release but also not to do thing A until after the release.

    A very confused Nicole Haught, using the confused math meme format.

    So I complained about this on twitter, remarking how daft it was. One of the blokes I’d muted hopped on the reply-train to tell me that’s because I wasn’t really part of the process.

    Repeat that meme above, eh. Signed contract. Told I was supposed to to X for the process, but also not to do it… And if you’re wondering “Mika, didn’t you block him?” yes, yes I did. He used another account to contact me with another bad take. A 100% incorrect take, born of his own ignorance about the subject matter and the contract. I replied, correcting his assumption (and at that time not realizing who he was).

    The next reply from him was that he actually had understood but he wanted to say something ‘different.’ At that point I thought ‘this sounds like one of those guys …’ and I looked at the account. Oh yes, it was. But I thought maybe he was redeemable, maybe he’d changed, and I asked him if he had any experience or expertise in this area at all (it’s not WordPress related). That reply was the nail in the coffin. He said it was a joke, he offered to explain the joke, and he said I knew who he was, and his credentials were available.

    Right. I replied, told him the joke wasn’t funny and if it needed to be explained, it was a bad joke, and I muted him.

    My thought process was as follows:

    1. Someone who always replies with ‘jokes’ isn’t someone I feel like listening to.
    2. People who reply constantly with ‘jokes’ aren’t listening to me in the first place, they’re listening for bullet points they can joke about.
    3. The ‘it was a joke’ defence suggests it wasn’t a joke, he knew that, and he’s hurt I called him out.
    4. Anyone who tells me his credentials are online, and yet flat-out cannot be bothered to correct his assumptions about mine is disrespectful.
    5. I already blocked his personal account.

    Why not block?

    Well. As you can see from this story, I had already blocked him and he was using a secondary account to follow me and comment on things. Did I know, prior to the conversation, that he was in charge of that account? Not at all. I had no reason to look. Now that I have looked, I see his feed is still filled with low-key racism and ignorance all over the damn place. He probably doesn’t even see that, and if he figures out this post is talking about him, he’s probably livid.

    But again, this isn’t about Mr. Mansplainer, it’s about why I didn’t block him right away. I muted him.

    I didn’t block him because I don’t want to encourage him to make a third account (or use another one he already has) to try and talk to me. I just don’t want to hear from him.

    And that is a decision that women online make every day. We recognize that blocking people just makes them madder and that sometimes they jump around and use more accounts to be jerks. It’s happened time and again to me, I’m sure it will again, and it’s why I heavily mute people all the time.

    Amusingly enough, I’ve been blocked by a couple people I’ve muted, one of whom screamed murder because I didn’t accept his DMs. I don’t accept DMs from anyone I don’t follow for a reason: I’m tired of people being assholes. So it wasn’t personal, John Doe, but way go.

    Okay but … How can I mute on my site?

    You mean comments and contact forms? Good question!

    First? Turn off comments and remove your contact form. You don’t need them most of the time. If you do want them, for the love of the flying spaghetti monster, use the comment moderation tools! In WordPress go to Settings > Discussion. Now, add in their info. Twitter handles and emails go directly into the Disallowed list. First names (especially if they’re common) go into the moderation list.

    But this is also where I’m kind of a bad person. See, if I have someone who is a jerk in emails and I know they may use a contact form, but as I’ve been saying since 2014, you should be able to blackhole their messages. By blackhole I mean their emails should appear to be sent, but you never see them.

    In short? They’re treated like spam. This sometimes has the side effect of them being flagged as spam elsewhere, which is why I’m kind of a bad person, but to be honest I don’t care at this point. I want them to go away.

    The downside to this is a lot of plugins don’t have a way to do this. I have spent a lot of time writing code for Contact Forms that actually blocks people (or spams them) when they’re people I’m done wasting my time with. I do think more contact forms need to make this a built in option. “Use your Disallowed lists to block …” but that is a different conversation.

    How can I make sure I’m not muted?

    If you’ve gotten this far, and you’re angry or you think I’m an asshole for blocking you or posting ‘about’ you, first you should know this: this post is actually about five separate guys. So if you’re seeing ‘you’ in this, you’re not alone, and I’m probably not the only person who wrote you off. Here’s my advice:

    1. Think before you reply. Read the tweet/post, look at the other replies or the followup posts. If you’re not sure, err on the side of respectful caution.
    2. Stop all ‘hot takes’ and ‘joke’ replies unless you know the other person really well.
    3. If you met someone at a WordCamp or chatted online, you DO NOT actually know them really well! You are causal acquaintances.
    4. If someone tells you ‘that isn’t a funny joke’ you reply “Sorry.” and shut the hell up.
    5. If you have to explain the joke, you screwed up, it wasn’t funny, and you’re the one in the wrong.
    6. If someone blocks your account do not use a second account to get around it.
    7. If you’re super mad that someone disagreed with you, walk away. You don’t owe them your time.
    8. If you’re blocked, don’t ask why you’ve been blocked.

    Now once in a while people will hit me up and ask why they were muted/blocked. I’ve replied to one of them, and that was because I took one look and thought “Hang on, I like him! What the hell?” And I looked and found out my old block tool had caught him for retweeting someone I’d blocked (he was explaining why the other guy was a dingus). I’ve turned that off.

    And I know someone is thinking “Wait, you said don’t ask.” Here’s the thing, that person I unblocked? Did not ask! He just pinged in another venue and said “Hey, I read about your dad dying and I wanted to say how sorry I am. You always talked about him so kindly. I would have tweeted but apparently I’m blocked. I’m sorry for whatever I said.”

    Isn’t that nice? It caught my attention. I looked, I unblocked. Because that was someone who acted like a human, didn’t expect a goddamn thing from me, and wanted to treat me like a human.

    It’s tragic that acting like that is rare.

  • Vulnerability Reports Miss The Mark

    Vulnerability Reports Miss The Mark

    Lately I’ve been getting a lot of ‘vulnerability’ reports.

    I use the term loosely because the reality is these are not actually serious vulnerabilities. A couple months ago I started getting a lot of weird reports like this:

    A FLAW FOUND ON YOUR WEBSITE!

    Website Security Vulnerability Notification

    Hello, a security researcher reported a security vulnerability affecting [your] website via [company] coordinated and responsible disclosure program:

    Those can be super scary! Is there really a massive issue?

    No. But I know why it feels that way. And frankly I think a lot of these people are targeting the wrong group. Let’s get into it.

    Scare Tactics

    In the case of all the ones I got, there was only one that I felt actually was. But first, here’s what people reported:

    • The PHPInfo Page was public
    • Directory indexing
    • People can list users (aka User Name disclosures) via the REST API
    • Your xmlrpc is showing
    • Incomplete SSL Protection
    • Your email records allow spoofing/DMARC compliance

    The last one? Absolutely an issue. I thanked that person and kicked them some money. But the others? They’re issues, but they’re also incredibly minor! Heck, this user name listing ‘vulnerability’ does not take the following into consideration:

    1. It’s on a site where every author has a page
    2. We have an ‘about us’ page that lists everyone anyway
    3. Strong passwords are enforced
    4. We have a firewall

    The only way I could really improve that would be to enforce 2FA, which I’m contemplating for admins. But that begs the question… is this a vulnerability?

    Okay, let’s ask why does this work? It’s known that WordPress has a REST API. This API can be used to list public information about registered users. Now the API does ‘expose’ the user data for everyone who’s authored a public post that is shown in the REST API. Posts and pages and some custom post types included. If the user hasn’t authored posts, you won’t have permission. So again, we’re only able to list public authors. Okay.

    Could that be bad? Sure. In the same way having a front door could be bad if someone kicked it in. But ‘security’ isn’t why I would ever consider blocking that. We literally list all the authors publicly already. If someone wants to use wp-json to grab them, cool. It only shows public information we displayed already, after all.

    Why would I consider blocking? To ensure stability. That is, people hammering my site to find out that I’m not user on HalfElf (surprise!) makes my site slower. But… I have a firewall and Mod_Security, and IP Tables, which means if you hit my site enough, it’ll block you. Also a lot of stuff is cached, like it should be. Which means this is not a ‘vulnerability’ but more of a ‘best practice notice’ in my opinion.

    And finally … FFS why are you telling individual site owners this!? If you really think it’s a security issue, take it up with WordPress!

    How Do You Stop Them?

    Well, generally you fix the ‘issues.’ Even if you think it’s full of shit, you fix it. So okay, what do we do?

    PHPInfo? Locked it down. I use it for regular checks of other things. If you’re not, just delete it.

    Directory Indexing? I put this at the top of my .htaccess (and yes, you should, I’d removed it for some tests):

    ### Prevent Directory Browsing ###
    Options All -Indexes

    XMLRPC? I said “Nope, not gonna change.” Because I use the WordPress iOS App.

    SSL? You’ll want to check your setup on things like SSL Checker or Immuniweb or SSL Labs. I found SerpWorx’s tool to be invaluable for spelling out what was missing. The easiest by far was SecurityHeaders.com. For that, I ended up adding this to my .htaccess:

    ### Extra Security
    <IfModule mod_headers.c>
    	Header set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    	Header set X-XSS-Protection "1; mode=block"
    	Header always append X-Frame-Options SAMEORIGIN
    	Header set X-Content-Type-Options nosniff
    	Header always set Expect-CT "max-age=7776000, enforce"
    	Header set Referrer-Policy "same-origin"
    	Header always set Permissions-Policy "geolocation=(); midi=();notifications=();push=();sync-xhr=();accelerometer=(); gyroscope=(); magnetometer=(); payment=(); camera=(); microphone=();usb=(); xr=();speaker=(self);vibrate=();fullscreen=(self);"
    </IfModule>

    The one thing I left out was Content-Security-Policy because that one is crazy complex and needs a lot of testing since a lot of content on the site is remote and needs special rules.

    Email/DMARC? That took a lot longer, and I had to talk to my email provider to sort it out. But you can run your domain through the MXToolBox checker and see what you’re missing. It’s going to make you cry. Email sucks.

    Okay but I wanna hide users!

    I hear you. You can do this in .htaccess:

    ### Block User ID Phishing Requests
    <IfModule mod_rewrite.c>
        RedirectMatch 301 ^/wp-json/wp/v2/users(.*) /about-us/
    
    	RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
    	RewriteCond %{QUERY_STRING} author=\d
    	RewriteRule ^ /about-us/ [L,R=301]
    
        RewriteCond %{QUERY_STRING} rest_route=/(.*) [NC]
        RewriteRule (.*) /wp-json/%1 [L,R=301,QSD]
    </IfModule>

    Now. This means on that site if you go to example.com/?author=1 you will not go to someone’s page. But if you go to example.com/author/ipstenu/ you still would. Which IMO points out how stupid that ‘vulnerability’ is. Yes, I am aware you can see the authors. Oooooh. You’re supposed to!

    Conclusion?

    A lot of those vulnerability emails are bullshit. I politely reply “Thank you for your concern however we are not blocking access to that because the API is used by other things. It’s considered to be public knowledge anyway.” I may end up writing a form letter.

    And the sucky thing is that one of the sites that collects all that stuff relies only on the reporter to determine if it’s resolved. Both issues they have for the domain in question? 100% resolved. But they say ‘unpatched’ … probably because I told both reporters I’m not paying them.

    I added this to my profile:

    We do not accept reports of basic WordPress functionality, such as the Rest API being active, the use of xmlrpc.php, the enumeration of users, etc. Those are an acceptable risk. Please don’t bother reporting them, they should be addressed with WordPress directly, not end users.

    By the way. The bug bounty program that keeps emailing me? Uses WordPress. And guess who’s site has /wp-json/wp/v2/users available to list all their public authors? Yeah. Because it’s not a goddamn major issue.

    I know someone’s gonna point out it could be a major issue. Sure. Like having a window means your house or car could get broken into. That doesn’t mean you remove all the windows!