Category: How It Is

Making philosophy about the why behind technical things.

LastPass? LostPass!

ModemLoper came up with the name.

So here’s a frustrating experience. My office uses LastPass to share passwords for things. Secret things. They send me an ‘invite’ for the Enterprise account with my company email. I go to log in with the first-time password thing, and it says I need to make a new password. Sure, because email isn’t secure, so I make a new password the same way I have for the last year. I open up 1Password, make a new account there (LastPass – Work) with the login as my.email@myoffice.com and generate a password. So I have a password stored there you see. I then copy that password and paste it in, twice, to change the password.

I want to note some things here. I did not have a message about how my master password was super important at this time. In fact, it just said to enter it twice. Also remember this was for an ENTERPRISE account. Not a normal user. Okay?

So I do that, it says yay log in now! I take the same password, paste it in, no go. Oh, okay, maybe a butterfly farted. I’ll just reset it. Guess what I can’t do? The password ‘Hint’ was useless, since my password was along the lines of dyEno4FfW4EsED and I’d set the hint to “1Password” like you often do. Also there’s no ’email me my password’ or ‘reset my password’ thing I can use. Probably because email isn’t secure. The email where they’d emailed me a temp password just before to create my Enterprise account.

At this point I tweeted obscenities. I have an account but I can’t use it. I can’t reset the password. I can’t recover the password. I don’t have a ‘One Time’ use password because I never got to the point where it let me create that sort of thing. Ditto with ‘reverting’ my vault. There was nothing to revert to so I couldn’t do that. The official answer was to delete my account and start over. There was more swearing. Most of it public use of the F-word on Twitter.

But I did delete the account, made a new one, and this time it said “Hey, this master password thing is super important!” and took me to a second screen where I have to re-enter it. Oh, and yes, I used the same password I’d made before. It worked this time. My coworker resent the invite to join our Enterprise account. I do so, set up Two Factor Authentication, trust my laptop, and he shared the folders.

As I spell out the drama to him, I realize that this may be happening because I didn’t have an account before. That is, I went ahead and used the account and password from the email. Don’t believe me that they sent a clear-text password? Here:

I redacted the account, even though you could guess it. Four hours pass. I get a tweet from the LastPass CEO:

https://twitter.com/joesiegrist/status/403649508715667456

to which I replied:

https://twitter.com/ipstenu/status/403649761212784640

Everything’s fine now, and my takeaway from this is ‘Make an account before joining an Enterprise’ because clearly their ‘sign up through your enterprise’ thing is buggy. The whole interface is a little janky, and I find that their statement of how they cannot possibly reset your password to be weird:

Recovery for LastPass is not the same as other services you may have previously used – due to our encryption technology, LastPass does not know your Master Password, so we cannot look it up, send it to you, or reset it for you. This means your data remains secure from threats, but also means that there are limited options when you forget your Master Password.

I gather they mean “There’s no way to change your password without knowing your current password.” And really this is the ultimate security, isn’t it? No one but you can change it without knowing your master password. The problem with this, and really all these things, is that if I have one master password, it must be easy for me to memorize and remember at the drop of a hat.

Which means my master password is my least secure password. Check the sticky notes on my monitor.

24 February, 2014
Impostor Syndrome

Shortly before I pushed out an ebook (WordPress Plugin Support) I had a rush of panic and fear. “Why do I think I’m capable of this!?” I asked myself. “I’m not a great coder like Jorbin! I don’t know deep seated WordPress secrets like Otto! I’m not an autodidactic trac machine like Sergey! Where do I get off thinking I can write a book about plugins!?”

Then I stepped back. I wasn’t writing a book about how to write plugins or how to code, or even everything that everyone did wrong. I was writing a book about how to submit a plugin to the repository. I was writing about how to handle support, how to document, how to reply to people, and generally how to not be a pain in the ass. That’s all stuff I know damn well, and I’m good at!

So why was I scared?

Impostor syndrome is a weird idea. It’s basically feeling like you’re not worthy of the praise you get. Have you ever had someone say “Thank you!” and you replied “It was nothing.” even though it was hours of thought where you racked your brain for a long lost memory? Why didn’t you say ‘You’re welcome.’ instead? It’s because somewhere, deep down in your head, you were sure you didn’t deserve it.

Mentioning this on Twitter brought up the suggestion I write a book about impostor syndrome and how to overcome it, but the fact is I don’t know how.

Oh, don’t get me wrong, I know what I’m supposed to do, but I can’t do it and not feel a little bit like a fraud. I was always told ‘Write what you know!’ and that gave me the courage and confidence to hit the publish button on a lot of posts here, and my books. Certainly I wasn’t raised to not be confident, which is funnier if you know my father. I have absolute confidence in myself and my abilities. I know I can do things, but still I get scared.

Here’s what I do know. At some point in my life, I lost that ability to be certain at all times. But only when I’m alone. Before I speak at a WordCamp, any WordCamp, I am tense and stiff, not very funny, anxious, and nervous. People get a lot of crappy pictures of me that way. I told the photographer at Las Vegas “It takes a bit for me to warm up. As soon as I start talking, though, I’ll be fine.”

And this is true. Once I start doing it, I’m fine. As soon as I hit publish, the fears were gone. As soon as I did something I felt great. This is true pretty much all the time (except the one time I clearly remember thinking “Bad choice! Bad choice!” and it ended in broken bones). I know it won’t be perfect, and I know I’ll probably have to go back and fix things, but that’s alright.

What is the truth here? Am I really lying to myself at one point in this process? Do I really know nothing? Why can’t I, or anyone, just shake it. It’s not true, and I know it, that I’m incapable of things, but fear and all this stuff that’s ‘in my head’ is frustrating especially because I know it’s pretty much all in my head.

The point, and this comes back to why this is on my ‘tech’ blog and not my personal one, is that what holds us back more than anything else is ourselves. The reason I don’t code ‘as much’ with core is not because I can’t but because I still feel awkward and slow when doing so, which holds back a process which is running along so fast now, it can hardly stop to wait for me.

But instead of grumbling and giving up, I’ve been slowly, steadily, working on what I can do, making it good– no, making it great, and moving forward with that. Sometimes that develops into a patch, and sometimes it means I write a long blog post about things and what they mean to me, or how I learned them.

That’s my truth. The only way to keep fighting that impostor feeling is to ignore that inner-me telling me I’m not good enough, accept the fact that I’m probably not fast enough for the rapid development world, and just truck on keeping up and fixing what I can, when I can.

But this is my answer. It’s not going to be the same for everyone, and that’s why I can’t (yet) write a book about this. Because there is no answer for everyone, or even enough people, to make that doable. Still, know this. If you did something, if you tried something, then you did it. You tried it. No one can take that away. Not even that really annoying inner you who thinks you suck.

Because you don’t suck.

17 February, 2014
Open Source Olympics

I try never to argue about the ‘spirit’ of the law these days and god help me if I ever consider talking about the spirit of GPL. But I do have a firm belief in the spirit of what Open Source is and how that impacts what we do.

I generally tell people I’m a Socialist and that’s why I love Open Source. It’s also true that I love the Olympics not because I want my country to win (I rarely keep track of medal counts) but because I want to see people exceed their expectations and go higher, faster, stronger. I cheered when the Dutch finally won the shorter length races in speed skating. I was sad when Simon Ammann did not place in ski jumping (I’ve been watching him jump for 16 years!). I was delighted to finally see women’s ski jumping!

But if I wanted to sum up exactly why I love the Olympics so much, this single viral photo sums it up:

If you watched the US broadcast of the men’s cross country finals (individual sprinting – they’re basically doing running on skis, it’s brutal), you saw Anton Gafarov wipe out, or at least part of it. They readily admitted they missed why he fell, but rewound so you could see this poor guy, skiing in his home country, come flying down on his back, behind the other skiiers, and crash into the wall. He lay on the snow in anguish, because he knew he would never get a medal now. He had trained his life for a moment that may never come again, and that hurt.

But, and this is what you didn’t see on NBC, Gafarov got up and kept racing.

And then he fell again, because (as you can see), his ski was broken beyond repair. It would be illegal for him to finish on foot. His race was totally done. In a sport where the difference between first and second is tenths of a second, he was out the moment he fell, but now he wouldn’t even be able to place and would end his Olympic experience disqualified. If you’ve never been a part of a competition where you DQ’d, I promise you that hurts way worse than not placing well.

That’s not where the story ends, though. Go back to that first picture. See the guy on the right side getting him set up with a new ski? That would be Canadian coach Justin Wadsworth.

Wadsworth took new skis out, helped Gafarov put them on, and thus the Russian finished the race (in dead last) to rousing cheers from the crowd. When asked by Canadian news site The Star why he did it, the answer was simple: “It was like watching an animal stuck in a trap. You can’t just sit there and do nothing about it. … I wanted him to have dignity as he crossed the finish line.”

We love to say that the Olympics are about overcoming adversity and doing amazing things, but much of Olympic spirit is inclusion and helping others. It’s never ‘us versus them’ but ‘look at how cool humans are.’ And to me, that’s what I mean when I talk about the Spirit of Open Source.

Open Source is about people creating amazing things in an open environment, without fear of restrictions. It’s giving incredible freedom to let the art of code shine through the function, and it allows for astounding advancements because of that. But it’s also about making things better by doing it together, and by enabling the next guy to take your work and do more.

If we see someone who has a need, we try to meet it. Not always for those wants (like I’d love a new iPad and laptop, but I don’t need them), but when someone’s in a massive car accident, or loses a job, or wants to go to an event and can’t afford it, we move heaven and earth.

Open Source would bring Gafarov a ski.

14 February, 2014
Forget 100%

Can I tell you a secret?

I hate the five nines. The Six Sigma Stigma has me wishing that everyone who tells me they’re a ‘black belt’ please die in a fire. It’s not that I don’t think that the process can work for some people, or that it’s useless as a whole, but that I think too many people treat it like an MBA. “I did this thing for a few months, I am now an expert.” I had a bunch of coworkers who did that. I hated them. I got to the point that if you said “We need five-nine reliability” I had a Pavlovian reaction that involved me rolling me eyes and tuning out.

Now this doesn’t mean than I don’t think 100% ‘uptime’ in anything is a nice goal, but I see it as a lofty goal. Look, you know this stuff already. I will not walk down the stairs successfully 100% of the time. I will not have the next key I strike on my keyboard function as I expect 100% of the time.

So moving this off and saying “I don’t need 100% uptime, I need 99.999% uptime.” doesn’t actually change anything. In fact, I’m willing to bet that a lot of people look at the five 9s and think that it’s so close to 100% that they should never see or notice an outage. Thanks, Six-Sigma people, you just made 99.999% synonymous with 100%.

That wasn’t the secret, though.

My secret is that I don’t care about 100% uptime in anything.

I worked for too long in deployment to understand that there is no such thing as 100% uptime for anything. There are ways to minimize and mitigate downtime, and there are ways to make sure it causes as little impact as humanly possible, but there’s no way to avoid it. Ever reboot your computer? Of course! Ever upgrade WordPress? You have then experienced downtime. It’s a nature of life. I expect it, I don’t sweat it.

So if I don’t care about 100% uptime, what do I care about?

Reliability, accountability, responsibility, and timeliness.

I was reaching for the words that end in “ibl”, but really the root ofable is my concern above all else. Are they able to handle it when things go pear shaped? Are they able to fix problems quickly, correctly, and efficiently? Are they able to prevent the exact same error from happening again? Are they able to own up to their mistakes?

I don’t expect anyone to do all that 100% of the time, but I expect them to care about the things that are important to them as an entity. My webhost should care about the severs not being on fire and serving up webpages. My bank should care that my money is safe and available. My government should care that it’s … Too soon? Anyway, the point is that you should care about what you do, and provide the best service you can. Now, if 50% uptime is your best, maybe I’ll look for someone else. I am reasonable about these things. If email goes down, how fast did you get it back up? But to me 50% isn’t reliable unless I’m looking for something that, intentionally, only works half the time.

All this said, I don’t actually look at the uptime numbers all that much, unless I feel that the reliability is sub-par. The actual numbers, the metrics, the absolute “This service is up 100% of the time or your money back” is not really what I count on. My friend Pippin said it wisely the other day:

I have far more faith in a company that encounters occasional problems but responds incredibly promptly than one that has fewer issues but doesn’t respond half as well

He happened to be talking about a brief (like 10 minute) outage on his site when all databases were inaccessible.

Don’t bank on the percentage, bank on the ability to react and come back.

10 February, 2014
Just Ask

Someone asked me why I spoke at some events and not others. Or why I was on some podcasts and not others. For WordPress, I do generally apply to speak if I’m going (for what I consider obvious reasons, I’m good at it and I actually enjoy it, shut up Jenifer, you were right) but I also like going to WordCamps just to learn and be social in a businessy sort of way. This is my job, after all.

So why did I talk on WPWatercooler or MeetWP or The Matt Report? Why did I do the interview with Code Poet? It’s so simple you’ll laugh.

They asked.

I very rarely say no. The two days I tend to are Fridays and Saturdays. I’m not online Saturday, and Friday is usually pretty busy for me. Okay, and I admit Sundays I’m usually out at the archery range or solar (it’s an arts and crafts thing), but still, with enough warning I can make some time. The point being, I’m totally fine with people asking me “Hey, can you be on our thing?” Unless you’re totally hate filled, anti-everything, jerks (which is … surprisingly hard to find in the WP world), I’ll likely say yes if I have the time.

Mind you, I don’t listen to or watch most podcasts or hangouts in real time. I just don’t have that time anymore. I have a backlog saved, and when I’m at work, I play them on my iPad when things are slower.

I am sorry to have had to turn down WordCamp Orlando last year, but I’d just come off of three funerals and 6 events in 8 weeks, and I was burning out emotionally (I’m putting you on my list for 2014!). I’m sorry I had to turn down a same-day request from the Matt Report once, but it was just phenomenally bad timing that day. I didn’t even see the email until it was almost too late. Yeah, that kind of day.

The point to all this is that while I know a lot of people don’t find me super approachable because I like having my personal space respected, and I feel that an unsolicited email is roughly the same as a phone call, my real intent with that viewpoint is to make you think. Think about what you’re asking. Think about what you’re giving to people and what they’re giving you. Don’t take brutal advantage of their good nature, and always respect them as humans with lives and agendas that may not be 100% the same as yours.

See that’s not hard? Give and take is what makes WordPress great.

7 February, 2014
SSL for One Domain on Multisite
To start with, I made a mistake and assumed, bad me, that the Terms of Service that let me collect donations for my ebooks would similarly be okay with collecting payments for said ebooks. Alas, no. “Digital goods including digital currency” are not permitted, and that was my bad. It resulted in me losing my entire account and having to fight to get my customers their money back.

Meanwhile I decided to get started on making an easy way for people to pay and stay on my site (like Stripe), and this, no matter what, means I need to have SSL.

Normally that’s not too much of a problem, but my store happens to be a subdomain of a mapped domain on a multisite. My WordPress install is at ipstenu.org. This site is actually tech.ipstenu.org, and my store (store.halfelf.org) is actually hshop.ipstenu.org (stands for HalfElf Shop…). I used domain mapping to point halfelf.org to tech.ipstenu.org, and store.halfelf.org to hshop.ipstenu.org. While I could just edit the site and home URL in the ‘Edit Site’ page, domain mapping is needed for in order to tell WordPress that the domain is really a thing.

Setting all that up was the easy stuff, though. The SSL part was something I’ve poked at before and given up, since multiple domains and one SSL cert is a pain in the ass. But today, if you go to the Half-Elf Warehouse, you’ll see it’s all SSL! (NB: It was. It’s now only SSL on pages that need SSL, to allow for better caching.)

You will need….
- An SSL Certificate
- An add-on domain
- wp-config.php edits
- .htaccess edits
- WordPress HTTPS Plugin
SSL Certs

This is the easy part. You need an SSL certificate for the domain you need to protect. If this is the only domain you want to add this on to, it’s relatively easy. If you need to add SSL on to multiple domains, check with your webhost.

I actually have multiple SSL certs. The problem with multiple SSL certs is that a wildcard one for subdomains costs around $300 (this is on Comodo), and I have three domains I need to protect on one server… Oh. Wait, wasn’t this a problem before? As it happens, I’ve got SNI on my Apache instance now, so that was fixed. I picked up a cert for store.halfelf.org and set it up, done. Except…

Add-on Domain

Why this? Well it’s funny. I used to always tell people ‘Use Parked Domains, it’s way easier’ and this is still true, it just has a caveat of ‘unless you’re trying to use SSL.’ Now that I am, I hit a sticking point where a parked domain cannot have it’s own SSL cert, but an add-on domain can. This was a simple fix. I deleted the parked domain and flipped it to an add-on domain. Then I added the certificate in for my site and now I have https on ipstenu.org and store.halfelf.org but not halfelf.org. Why? Because halfelf.org and store.halfelf.org are separate add-on domains. Had I bought a wildcard cert for halfelf.org, I could have made halfelf an addon, and store.halfelf a parked domain on top of halfelf, but this works too.

The other option, of course, is a multi-domain cert, which is too much money for my tastes, and I don’t need it all the time. I have SNI, which makes this so super easy for me, it’s silly. Just add the cert for the domain and have a party.

WP-Config

But today I only want to force one of my mapped domains to be SSL:
```
if ( $_SERVER["HTTP_HOST"] == "store.halfelf.org" ) {
    define('FORCE_SSL_ADMIN', true);
    define('FORCE_SSL_LOGIN', true);
}
```
No that was it. If it’s two domains, it’s this:
```
if ( $_SERVER["HTTP_HOST"] == "store.halfelf.org" ) { ...}

if ( $_SERVER["HTTP_HOST"] == "ipstenu.org" ) { ...}
```
and so on and so forth. Why not using an OR check? Because it failed miserably when I did that. I suspect it’s due to ipstenu.org being my main domain, but I was tired and stopped here.

.htaccess

Okay, now I want my domain to default to SSL when people visit too!
```
RewriteCond %{HTTP_HOST} ^store\.halfelf\.org
RewriteCond %{SERVER_PORT} !443
RewriteRule ^(.*)$ https://store.halfelf.org/$1 [R,L]
```
That was easy.

WordPress SSL

What about making everything on my page load SSLish? Install and activate? That was it? Oh. Okay.

Verify!

Hey! Looks good! Actually I’d had a problem when I first ran this.

Yeah, that little yellow triangle. What the heck did it mean? I trotted off to Why No Padlock? and got an error:

SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: no certificate subject alternative name matches

That didn’t help me at all, so I viewed page source and looked for http://store and didn’t find anything. Then I looked at the console and saw that it had an error on some JS:

//Moral? Always read the ToS.
5 February, 2014

Category: How It Is

LastPass? LostPass!

Impostor Syndrome

Open Source Olympics

Forget 100%

Just Ask

SSL for One Domain on Multisite

You will need….

Verify!