Half-Elf on Tech

Thoughts From a Professional Lesbian

Category: How It Is

Making philosophy about the why behind technical things.

  • Encrypt My Site, Please!

    Encrypt My Site, Please!

    By now everyone running a website has heard about how Google gives sites running SSL a bit of a bump with search rankings. It’s been a year since they started doing that. The bump is not significant enough to impact most people, but making all the things HTTPS is still a good idea.

    It’s really all about security. I personally use HTTPS for the backend of my WordPress sites. Logins and wp-admin are all secure. The same is true for my MediaWiki site and my ZenPhoto gallery. I access things securely because the data I transmit could be important. Sure, it’s just passwords and such, but then you look at my site where I sell eBooks.

    That site is on the same server, the same account, and the same WordPress install as this one. You bet your ass I’m making it all secure. But this comes at a cost.

    The invention of SPDY aside, HTTPS is rarely as fast as HTTP. It can be difficult to set up caching or implement terminations like via Pound or Nginx in order to cover for the fact that Varnish doesn’t cache SSL. These things aren’t impossible to do. They’re just harder. And they’re generally going to be slower than plain old HTTP.

    The question has never been if they can or cannot be done, but if they can by entry-level people. Certainly we can say “If they’re not using SSL for all the things, they’re not ready for a great volume of business” and use it as a demarcation for things. And when we’re communicating our private lives, we should certainly consider this. But then, this site, where only I log in?

    Do you need SSL? Would it make you feel better or more secure? All you can do is comment. Do you need the feel-good? Do I need the extra security? If I decide yes, then I have to consider the weight this puts on my site. I have to consider how best to cache the content.

    I also have to think about how to get a certificate and SSL certs can be the biggest Internet scam out there.

    It’s how much for a multi-domain, including subdomain, SSL cert a year? A few hundred? It’s a bigger hassle than the EU Vat drama. It’s expensive, it’s a hassle to get set up, and install. Now thankfully, next month we’re expecting Let’s Encrypt to show up and they’ll make the cost less prohibitive. It doesn’t make the drama of installing the certs any better, but it’ll lower the bar for people who are trying to make things secure.

    Yes, you can get StartSSL for free, but it’s not as simple as all that. When all you need is one certificate, it’s only about $10 a year and that’s fine. When you start getting into the need to secure all the things, it’s a mess.

    What has to happen next, though, is for sever software to step up. Apache and nginx are both far faster now than they have been, but they’re our ultimate breakpoint. PHP has to push itself to handle things better and faster, lest we run over to HHVM. We are getting better of course, but if we want everyone to be on HTTPS, we have to make it easy.

    Not easier.

    Easy.

    The bar is still too high for the majority of people, and that’s a problem. Either we start offering hosting services to handle this or we start making the software easier. But we can’t just say “Oh, it’s simple to make your site HTTPS and fast.” because it’s not.

  • Everything Is Vulnerable

    Everything Is Vulnerable

    Every other day we hear about a tool that has a vulnerability. It’s been the servers we use, Flash, or Silverlight, or the Jeep that was hacked.

    This Is Not New

    The idea that hacking like this is new or novel is, let’s be honest, naive. In the 1800s, people used to hack into the newly born telephone system. Before that, we didn’t call it hacking, we called it conning. Yes, the confidence games people played to get others to trust them and then rip them off is the same idea as a hack.

    A hacker is someone who finds a weakness in a computer system and exploits it to some benefit. Early bank penetration tests, the ones to see if they could get at your money, were as much social engineering as technical skill. A ‘hack’ is simply something taking advantage of an exploitable weakness. This is not new to anyone or anything.

    The Scale Has Changed

    The primary difference between the hacks of old and the ones today is the scale of those hacks. Hacks used to be very personal for a reason: there was no world wide network. Your hacks had to be local and careful, because no one trusted the stranger. You can to build up credibility before taking your win. Of course, now we have near instant communication with the entire world. That means it’s milliseconds to access the server of someone in Africa, all from your happy NYC Starbucks.

    The difference is that now, when someone says “And Flash has a security vulnerability” the number of people impacted is in the millions. And the number of people who can be hurt by it is, similarly, high.

    We’ve spend years trying to create a global internet, and in doing so we’ve quickly shared communicable internet diseases with each other.

    Nothing Is Unhackable

    My boss and I were chatting about the ways one might hack the stock exchange, and he pointed out that one of the ways they slowed down trades was by having a really long cable.

    38-mile coil of fiber-optic cable
    Credit Stefan Ruiz for The New York Times

    This cable, and yes it’s real, is literally used to create a small delay in processing of orders, to level the playing field with traders. In short, it makes sure that the trades from across the ocean run at the same speed as the ones for the people in the room of the New York Stock Exchange. Each additional mile of fiber-optic cable adds 8 microseconds to a transaction, which adds up to 304 microseconds. Among other things this is hard to hack. You can’t send a software signal faster than it goes (physics being what it is), so it made things harder to hack.

    The next Mission Impossible movie will involve Tom Cruise being slowly lowered into the box with that cable in order to shorten it invisibly. Only Cruise can do it because only he is small enough.

    That was my joke. But it’s actually rather demonstrative to the point. You can physically hack things as well.

    Analyze The Risk

    To quote my father, “What can go wrong? How likely is it? What are the consequences?”

    That’s why I don’t own a wifi pluggable garage door or thermostat. Do I think they’re cool? Yes. Do I think they could make much of my life easier? Yes! But they’re new and they’re toys, which means people spend a lot of time poking at them and digging into the underlayer to see how and why they work. Which means people are finding hacks daily.

    That means the likelihood of someone figuring out how to use my thermostat to drive my budget through the roof is pretty high. Someone already did that to his ex-wife if that review is to be believed. Of course he had the access in the first place, but it proves one point. If you get access, you can do things.

    Change it to my garage door? Or my front door? Say good bye to my things. I know I’d be a target because I’m using the pricy toys to start with.

    Educate Yourself

    If you can not do stupid things, the odds of you being hacked are low.

    By stupid things, I mean using insecure passwords. I mean logging in on public WiFi to do your banking. I mean installing any old plugin on a WordPress site running a store.

    The things you know are dangerous.

    Don’t be stupid. Make backups. Be prepared for disaster.

  • Don’t Publish Bad Code

    Don’t Publish Bad Code

    I thought it was self evident, but two of my more respected programer friends missed the point or, rather, took notice with one aspect.

    So let me rephrase what I meant when I said it was okay to write bad code.

    Write all the bad code you can. Learn from it. Make it better. But the code you publish should be the goddamned best damn code you’re capable of writing at that moment in time.

    The point I was trying to make was not to let the fear of ‘This code is shit’ stop you from learning and improving. That’s like saying if you can’t play a piece of music the first time out, you should quit. That’s stupid! Few people can do that! The rest of us have to practice and learn and keep going.

    And yes. That means sometimes when we give a public performance we screw up. That doesn’t mean we shouldn’t perform. That doesn’t mean we shouldn’t fail.

    You’re going to fail, okay? Just give up on that wish. Everyone fails. We fail more times than we succeed, and that failure hurts more than the success feels good.

    When you do a thing, do it to the best of your abilities and no less. If you’ve left a comment of “Come back and fix this.” then you damn well go fix it before you release the code. Writing bad code is no excuse to slack off, it’s an acceptance that not everyone gets it right from the start and you’re going to have to learn from it.

    So learn.

  • Rant: Chrome is the New Nanny Browser

    Rant: Chrome is the New Nanny Browser

    Part of my job is to look at possibly naughty and dangerous sites. Usually Chrome gives me an ‘are you sure?’ warning before I look at a hacked site, and I understand why. But see, my job involves me going to known hacked sites, seeing what’s going on, reverse engineering, and fixing. So yes, Chrome, I need that ‘I’m sure’ option.

    Lately Chrome hasn’t been giving me an option. It’s been saying no.

    So I went to the documentation, Can’t download files on Chrome, to find out how to turn it off and I was annoyed.

    If you don’t want Chrome to show you download warnings, you can turn off your phishing and malware protection setting. Turning off these warnings will also turn off other malware and phishing alerts:

    I want phishing protection!

    Actually what I want is Chrome to say “This download may harm your computer. Don’t download it if you have auto-expand or auto-run on for downloaded files. Are you sure you want to download this?” and default to NO.

    And no, I’ve not figured out how to do this yet.

  • OpEd: Community, Community, Community

    OpEd: Community, Community, Community

    Lately there have been a lot of talk about the issues within various communities. It might be the shit storm over in Reddit land, it might be the drama in WP World. It doesn’t actually matter for the purposes of this post.

    Poisoned Well

    As my friend Helen asked recently:

    Do you ever feel like the entire internet has been taken over by trolls because I feel like I’m drinking from a poisoned well right now.

    I do.

    All the time. Always have. People have always used the internet as a way to let out what they’re feeling without filtering it through their humanity first. They hide behind anonymity, or the simple shield that they can’t see the faces of the people they bully and humiliate. They see it as ‘just good fun’ or ‘just letting things out.’

    My friends know I feel that way too. But I always ask them “Can I be unfiltered? I need a rant.”

    The Internet Is Broken

    What we’re facing is the endemic brokenness of communities as a whole and their sewage spewage.

    As my friend JJJ remarked (specifically about a subject but it doesn’t really matter for the purposes of this post):

    … I’m waiting for a “things are broken” post …

    J-trip, I know I’m not the person you’re asking for the post from but, yes, things are broken. Things are badly broken. Things have always been broken. We’ve always been at war with Eastasia. Things are broken because we, as humans, are broken. The online communities we tout as being fundamental to the growth of software development and that bind us together, closer, as humans, is broken because humans suck.

    What’s broken isn’t PHP or Reddit or WordPress.

    What’s broken is us.

    And we remain broken because we don’t fix things.

    Let’s Fix It

    Fixing isn’t easy though.

    Unlike your ‘in person’ community, an online one is incredibly diverse.

    At the same time, we need to stop giving it a free pass simply because it’s online. Treat it with the care and love you would treat the people who come together to shoot arrows or sew or watch a baseball game. This is a community and we need to treat it like that.

    Remember that what we do in public, and yes the Internet is totally public, reflects on who we are because it is who we are. Behave with integrity and honesty and be yourself. If that self reveals itself to be a bad person who does mean things and doesn’t care about the outcomes, then deal with the outcomes.

    Stop pretending that there are no repercussions just because you’re online. Stop thinking that you can get away with being mean just because it makes you feel better. Start caring about people as people, online and offline.

    And then there’s the hard thing. Stop letting people get away with it. We all fear the cry of censorship, but there will come a time when we have to stop killing ourselves. It’s our choice to keep the hatemongers among us, and it’s our choice to tell them to change or leave.

    Make the right choice.

  • Rant: We’ve Forgotten Nettiquette

    Rant: We’ve Forgotten Nettiquette

    When I was new on the interwebs, people told me things like “Don’t bump your posts” or “Don’t nag people.” I took those lessons to heart, and even though this new online message board thing was awesome and addictive and a great way to talk to people all the time, it introduced us to a new/old problem of instantaneous gratification.

    While the world is a 24/7 place, and people are working around the clock to make cool things, it’s really hard for people to understand what being ‘polite’ means in these instant times. But I get poked on email, then in a Slack chat, then on Twitter, then on Facebook (where few people can access me at all), and even G+ when someone decides they need to get in touch with me ASAFP.

    Since the Core Rules of The Net have been lost on many of us, here are some rules for you:

    Respect Downtime

    Every time you ping someone more than once in three days about the same thing, you’re probably hitting them on their downtime. People need breaks. Just because I’m active on Twitter, talking about comic books or music, doesn’t mean I’m available to talk about debugging your website.

    Respect “No”

    If someone tells you “Not right now.” or “Please ask someone else.” there is only one, proper, reply. “Okay, sorry about bugging you.” And you walk away. (You can ask “Sorry, who else can I ask?” of course if you really don’t know, but people bugging me actually do know if they think for a moment.)

    Respect Priority

    I got news for ya. You’re not my priority. Oh I do understand the importance of you and your work and that it’s very much on your radar. But you’re not always at the top of mine. I have to make my priorities in my own order and sometimes I can’t tell you about them. It’s never a case of being dismissive, it’s always a case of having a lot to do and having to sort things in an order than I can maintain. It really sucks when you’re not the priority, but it’s the world we live in.

    Respect BRB/Later

    Sometimes I’ll be working with someone in chat and my wife will ask me a question that need a now answer. Or she’ll want to go out. And if we’re not working on a ‘save the world’ thing, I will likely say “I need to go take care of my personal life. Can we pick this up at another time?” I will work out when that other time is, but people should respect that space. Similarly, if I type “Hang on, I have to deal with a thing.” then maybe I’m talking about a bathroom visit, or maybe my cat lit the other cat on fire. Either way, someone taking a long time to reply is not cause to have hurt feelings. We need to have time to think, time to process, and time to put the fire out on the cat.

    Respect ME

    Look. This should go without saying, but respect me. Respect what I say to you and when and where I say it. Respect me as a human and as you would want to be treated. If I say “Stop being so pushy, you’re not making it easier for me to do XYZ” then stop being Gordon effing Ramsey and give me a moment. If I ask you not to communicate with me about something on a specific channel (like asking me long WP questions on Twitter) then respect that. It’s totally okay to ask me “Where can I ask you for help with…?” but it’s not okay to assume that I’m going to want to be all WordPress all the time everywhere.

    I happen to like other things and so do you.