Half-Elf on Tech

Thoughts From a Professional Lesbian

Category: How It Works

  • Why We Don’t Auto-Update Plugins

    Since the push of DreamPress (which I’m totally digging), the ‘One Click Install’ feature of DreamHost has become a little more obvious to people, and it’s benefits and disadvantages.

    What’s this auto-upgrade thing?

    To make this simple, if you use DreamPress or our One-Click installer, we automatically upgrade WordPress for you! It doesn’t happen the very second WP has a new version, mind you, we spread it out to not destroy our servers, but you will get upgraded unless the upgrade feature was disabled (of course, you would never disable them, right?). Any time you want to see if you have automatic upgrades enabled, or want to run your own, head over to the DreamHost Panel.

    Why not plugins and themes?

    So why do we only do this for core WordPress? Because plugins and themes are messy.

    Easy Update Button!

    The safest upgrade in the world is the minor upgrade (like WP 3.6 to 3.6.1), as it’s exceptionally rare that it breaks anything. It’s not perfect, of course, sometimes we find out that a plugin or theme was doing something in a very non-optimal way before (if you hear ‘doing_it_wrong()’ please keep in mind that is not a value judgement, just a code comment, we all do it wrong in the beginning). But rarely will this kind of upgrade break your site.

    Similarly, the major releases (3.5 to 3.6) are perhaps surprisingly stable. They’re tested, a lot. At DreamHost there are two people (me and Shredder) on the core contributor list, and we’re heavily involved in WordPress development every single day, at work and at home. We keep up with WP changes, test them on DreamHost, and work with the core team to resolve issues before they even release a beta! We’re on the job!

    “But hang on!” I hear you say. “I upgraded to 3.6 and it broke my theme!”

    And THAT is why we don’t upgrade themes.

    I know, I know, it sounded counter-intuitive. You have to look at it a different way. Your theme stopped working with WordPress 3.6. That means something in the theme is not compatible with the best practices in WordPress core. Translation: WP didn’t break, your theme had a bug.

    It sounds like semantics, or hair-splitting, and I totally get that. It also sounds like we’re passing the buck. We’re not! And we’re not trying to imply the theme (or plugin) developer who now has a broken product is a bad coder, or doesn’t pay attention to WordPress. What we mean is that themes and plugins, as they are used by much smaller segments of the WordPress community (everyone uses core, but maybe only 1000 use that theme), it just can’t be tested as robustly. This is especially true of the solo-developers. Speaking as one, I used to develop WP only in my free time, so any time WP had a new release coming up, I had to take days to test all my plugins, and pray I got everything. Invariably I missed stuff. It happens. We’re humans.

    Breaking isn’t the only reason, though. Sometimes an upgrade is messy and complicated.  Take, for example, NextGEN Gallery. When version 2.0 came out, it inadvertently broke a lot of installs. There was chaos, drama, and finally an open letter. How did this happen? It happened because NextGEN is hella complex, and it’s used in myriad different ways. It happened because plugins and themes can do anything with WordPress.

    Police_man_update.svg

    Blindly updating core is safe. It’s tested and easy to roll back. Blindly updating themes and plugins are not always easy to roll back, they’re not always easy to upgrade (some require a massive upgrade script to run), and they may require you to make other changes in your theme. For that, we just don’t.

    If DreamPress is MANAGED Hosting, like WordPress.com, how come THEY do it?

    You mean why do the plugins on WordPress.com get auto-updated? Because you can’t install any plugins on Wordpress.com! That’s all. They control everything, and simply activate various plugins depending on what package you buy. It’s not really the same thing at all, but I get why people think it is.

    I don’t care! Can I auto-upgrade anyway?

    Are you sure? Okay, then! Install the plugin Automatic Updater (by Gary P.) and set it to upgrade your themes and plugins. I personally use it on all my sites, but I’ve also personally vetted each and every plugin on my sites.

  • Whois On First

    Whois On First

    Sometimes when I’m helping people out with their website, I feel like I’ve walked into an old Vaudeville act and we’re trying to figure out the answer to a question they don’t understand. The Internet gets newcomers every day and my conversations feel like this:

    Ipstenu: Strange as it may seem, they give computer terms nowadays very peculiar names.

    Costello: Funny names?

    Ipstenu: Code names, geek names. Now, to figure out everything about your site, we start with whois on first, What’s Your Host is second, I Don’t Know your app is third —

    For those of you who have never listened to Abbot and Costello do “Who’s On First” you need to take a moment to watch their televised episode “From The Actor’s Home” in 1953, the complete Who’s On First.(I grew up listening to them on the radio in reruns on KNX in the 1980s, and its safe to say that my concept of humor comes more from them than modern TV.)

    So when I run into these people who are brand spanking new to the web (yes, they exist), I’m a little annoyed when I find they are totally at a loss at what they actually need to know in order to keep their website up and running. In part this is because the people who build the sites aren’t ‘consultants’ but friends and they just do the needful and move on. Those friends mean well, I’m one of them, but when you make a site for someone else, you have a responsibility to them that they know what the heck they’ve got. Otherwise, you’re not as good a friend as you thought.

    But if you’re that newbie, what do you need to know to run your website? Three basic things! Whois! What is! Know is!

    • Your Domain Name: Whois On First
    • Your Web Host(s): What’s Your Host
    • What’s Running Your Website: I Don’t Know Your App

    That’s it. Three simple things. But in reality, they’re not that simple. And worse, the person who bought them is, technically speaking, the person who owns them. So if someone else bought your domain name for you, they own it. Not you. They have full, legal, rights to do whatever they want with it. Same goes for your hosting. It’s very important you put close attention to who is paying for your site, because if it’s not you, it should be. Don’t let your friends or consultants or developers buy these things for you, because then, legally, it’s theirs, and no amount of begging to a webhost or registrar will get them to give it to you.

    But let’s get into the details.

    Your Domain Name: Whois On First

    domain-namesYou know this, right? I’m looking at halfelf.org right now. But do you know where it’s registered?

    The domain name registrar is the company you paid to ‘reserve’ the domain name. It’s like your phone number. You paid AT&T to buy the number, and you can keep it as long as you want. But unlike the phone company where you pay for the number and the phone service, you may not be paying for both domain name and hosting in one go. In fact, many of us like to separate our host and our domain name, so if the host goes down, we can point the domain somewhere else.

    The ownership of the domain name is important, because if you don’t own it, whomever does can point it wherever they want. This happens, from time to time, when domains expire. Someone will snipe the domain (i.e. buy it when you’ve forgotten to renew) and take it. And there is very little (if anything) you can do about it.

    How do you find who your registrar is? It’s not that easy. If you use a tool called WHOIS to pull up the information, you’ll find a lot about a domain. For example, here’s what you can find for halfelf.org:

    Domain ID:D165216955-LROR
Domain Name:HALFELF.ORG
Created On:06-Apr-2012 13:52:55 UTC
Last Updated On:06-Jun-2012 03:50:37 UTC
Expiration Date:06-Apr-2014 13:52:55 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:CLIENT TRANSFER PROHIBITED

    I removed some of the lines, because my information is WhoisGuard Protected. Normally it shows phone numbers, addresses, and so on. By law, you have to keep that stuff up to date and correct. Most of us forget. But none of that actually tells me what I need to know. See, I know who my registrar is, but all I see is “Sponsoring Registrar:eNom, Inc.” and that actually isn’t it.

    Except it is.

    My domain registrar is NameCheap, and NameCheap is both an eNom reseller and an ICANN-accredited registrar. I know, that was Greek, but what it means is there’s a list of people who are allowed to sell domain names, and this is the ICANN-accredited registrar and on there you will find both NameCheap and DreamHost, as well as Automattic (aka WordPress.com) and so on. So if they’re listed, why does my WHOIS show as eNom? Because they’re using eNom. Now as a separate example is my domain elftest.net, which shows up as NEW DREAM NETWORK, LLC. And that is, in this case, where I registered it.

    If you get eNom as your registrar, don’t worry, you can easily find out who your actual registrar is via their reseller lookup tool. Toss halfelf in there, and you’ll see it’s NameCheap. Whew!

    Your Web Host: What’s Your Host

    hosting This is the company you pay monthly (most of the time) to host your site. They generally have your email, too, though some people use Google’s Gmail ($5/year, yes, it used to be free). The Web Host is where your website ‘lives.’ All the files, all the pictures, all the email. It’s really easy to see who your host is, thanks to tools like WhoIsHostingThis.com, which can tell you that HalfElf is hosted on LiquidWeb.

    If you can’t tell, this is pretty simple to suss out, but also very important to know. And just because you know who your host is does not mean you know the user account or passwords associated with it. If you are the person who pays the bills, you will always be able to get the account back by using your credit card info, but really this is something you should be keeping track of, because if you’re not paying for it, you’ll never ‘get it back.’ It wasn’t actually yours to begin with.

    Speaking as a web host, the question I hate to hear the most is “I don’t have my login information for you guys, can you give it to me?” For what I think are pretty obvious reasons, unless you can prove you’re you, no we cannot hand you access. You need to know the login ID, the email address, the physical address/name of the owner, or some credit card into, in order to prove you’re you. You are not Gracie Allen, after all.

    What’s Running Your Website: I Don’t Know Your App

    90737-1This is the ‘what runs my site?’ one, and I am often amused by people who don’t know they’re using WordPress. Why amused? Because it’s at the bottom of every page, it’s on my login page, and … well it’s there. I don’t advocate removing all traces of WordPress from the site, because when you’re trying to figure out ‘what’ runs your site, these are helpful clues.

    Even if you don’t use it, you should know what it is. Check if your site has a ‘readme.html’ page like https://halfelf.org/readme.html. Drupal has a README.txt (see http://www.typepad.com/README.txt for example), and MediaWiki just uses README (see http://jorjafox.net/wiki/README for one). So you may need to try multiple variations until you find one.

    Of course, complicating that is the possibility of custom code. If your site is just plain HTML, hey, awesome. It’s easy and flexible and you’ll be fine. But the custom stuff, where someone comes up with cool ways to do things and doesn’t document them… this is why I like Web Apps, personally. Someone’s documented, or if not, there are other people who know how to help me.

    What else?

    What do you consider a ‘must know’ when you’re hosting a site? One thing that’s always interesting to ponder is “Where does my email live?” When I host other people’s sites, I tend to put their email on Google or another email only service, since that makes ‘moving’ way easier. Never assume people will want to have their files with you forever.

  • Review: DesktopServer

    Review: DesktopServer

    I’ve been a MAMP user for years, but at WordCamp Chicago, Suzette Franck handed me a thumbdrive with free version of DesktopServer on it. Interested (and not just because a thumbdrive with an app on it is the way I expect to be handed software today), I installed it once I got back to my office.

    Installation and Setup

    You can’t run the zip from the the thumbdrive. It’s a 250meg drive with only 50 megs to spare, so because a Mac is silly, I had to copy the files locally and then unzip. It would be ‘better’ (and this is subjective) if the drive had the installer apps instead of the zips. That said, I know they were copying the zips to the thumbdrives manually so I totally give them a pass.

    Once I did unzip it, it said it would have to restart. So I shut down everything, installed, and … no restart. I think it was a poor choice of words:

    ds-restart

    Right, clearly I wasn’t paying attention. Still, it’s a strange thing to warn when it didn’t actually happen! Now, I know what they meant is this:

    ds-start-admin

    I hate that MAMP does this too, and have long used the MAMP No Password app to work around this. I’d love to see that added to Desktop Server.

    There were a lot of click-throughs, but that it let me add and create a dev website, complete with the hosts file, was nice. I liked that I was able to easily tell it to install in Sites (where I like my sites!), but I didn’t like that it’s bundled with WordPress 3.5.1:

    installnewsite

    Actually I don’t like that it’s bundled with WordPress. Blasphemy! But really, it would be killer if it could just have a dropdown of options: WordPress, Drupal, etc. Then when it runs, it grabs from the latest build. WordPress does this with latest.zip. Drupal doesn’t. Didn’t know that. You should, Drupal! For now, people have come up with an interesting wget based solution, so that would be an awesome thing to add. But I clicked WP (vs nothing), which is the default. I was directed to my site, where all I had to fill in was username and such. All the DB work was done!

    Using DesktopServer

    At this point, I was done so I closed DesktopServer.

    done

    My site, elftest.dev, was up and running and it was easy to use. Perfect! Seriously, at this point it just worked. If I wanted to spin up another site, that was easy too.

    Sadly, it’s not easy to make a subdomain site ala Multisite. I wanted to add ‘foo.elftest.dev’ and I tried to select this be installed in elftest.dev, but got this instead:

    subdomain

    That’s okay for me, I know how to use my hosts file, but it would be nice to have this more accessible. After all, the draw of DesktopServer is that it’s easy right?

    Shutting down DesktopServer

    Here it’s weird. I had shut down the app, because it was done. But doing this only closes the app, not the Apache instance, so I had to reopen (and ‘reboot’ it with Admin rights again) to be presented with this:

    shutdown

    Now I could shut down.

    Conclusions

    It’s a split decision. When I’m using the “MAMP no password” app, it’s certainly easier to activate and deactivate MAMP. However, DesktopServer wins with ease to spin up new sites. For someone like me, who needs to quickly test sites for customers and likes to use foo.dev or foo.loc to test, this is great. I don’t need to hassle with anything, just turn it on, add a site, done. DesktopServer is a little in the middle between easy for newbies and awesome for devs. It’s got a lot of room where I could see it growing, and that’s enough to keep me using it

    The downsides are:

    • Have to ‘restart’ the app with my admin password.
    • Can’t fully customize the website location
    • Can’t customize the TLD (no example.co.dv to test an example.co.uk site, and yes I do that)
    • No menu-bar tool to activate/deactivate

    I’m going to keep using it, of course. The benefit of a fast spin-up of new sites, for what I do with testing people’s sites and fixing them at work, wins hands down.

  • Upcoming Speaking Gigs for DreamHost and WordPress

    header_logo

    • WordCamp San Francisco – July 26-29 (“Don’t Use WordPress Multisite”)
    • DreamCon – Aug 2-3 (“Choosing WordPress Plugins” and “Get Out Of The Monkey House”)
    • WordCamp Portland – Aug 10 (“Rolling Your WordPress Support Character (without any code)”)

    You get me twice at DreamCon. Twice the elf for one low payment!

    I believe all these will be recorded and made public.

  • Evaluating Evil

    Evaluating Evil

    Credit: EvalBlog
    Credit: EvalBlog
    One of the things I do at DreamHost is help with hacked sites. This means when WP is hacked, I look at it, figure out how, and explain to the person how to fix it, or how to tell their tech folks what needs doing. There are occasions where I’ll delete things for them, but usually that happens when there’s a folder or file with weird permissions.

    We have a lot of tricks with what we look for, like base64, but recently I started to find files that missed my scan, but not my “Hey, wait, wp-mai1.php isn’t a WordPress file…” check. Files like this:

    $a51a0e6bb0e53a=str_rot13('tmhapbzcerff');$a51a0e6bb0e5e4=str_rot13(strrev('rqbp rq_46rfno'));
eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/it9qMQ5UlWBCVGtKg+JWozQaSrcU9+qKvIlBIGh6BBCyK/[...]')));
eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF7tW1uvotqW/ivnYSe1d85JignSvcxJPXgDtQCXKNdO50TAJSqop7xw6fR/7zHm1CUqqGW91EMnK1FgzHG/[...]')));

    Now obviously I can just add str_rot13 to my checklist (nothing in WordPress core uses it), but .. how do I look for those eval strings?

    Eval is a funny thing. In JavaScript: The Good Parts, Douglas Crockford states “eval is Evil: The eval function is the most misused feature of JavaScript. Avoid it” but he’s taking JS and I’m looking at php files. So with the (current) assumption that I can ignore js I can try this(I also use ack for this half the time, depends on my mood)(You can leave out ‘exclude SVN’ stuff if you want to. Most users don’t have it.):

    grep -R --exclude-dir="\.svn" --exclude="*.js" "eval" .

    That gets me a lot of files, though, and I don’t want to parse what I don’t need to. By the way, there’s one and only one file in all of WP that uses eval() in a ‘nefarious’ way, and that’s ./wp-admin/js/revisions-js.php, which is the WordPress easter egg. That’s also the only place you’ll see p,a,c,k,e,r code. But clearly I want to look for eval( or even eval($ because that’s more exact, and that should give me a better result.

    This is a two edged sword, of course. If I’m too precise, I will miss some of their shenanigans. If I’m not close enough to what I’m looking for, I get too much. And worst of all, I don’t always know what I’m looking for. Quite a lot of finding new hacks is a world where “I’ll know it when I see it.” So let’s take it down and say I want to find no JS, nothing in .svn, and anything with eval and a paren:

    grep -R --exclude-dir="\.svn" --exclude="*.js" -e 'eval(' .

    That’s a lot better, and in fact, this is a good start! But it’s hard to read because of how long the lines are:

    ./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/it9qMQ5UlWBCVGtKg+JWozQaSrcU9
./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF7tW1uvotqW/ivnYSe1d85JignSvcxJPXgDtQCXKN
./wp-admin/includes/class-pclzip.php://      eval('$v_result = '.$p_options[PCLZIP_CB_PRE_EXTRACT].'(PCLZIP_CB_PRE_EXTRACT, $v_local_header);');
./wp-admin/js/revisions-js.php:eval(function(p,a,c,k,e,r){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\\\b'+e(c)+'\\\\b','g'),k[c]);return p}('6(4(){2 e=6(\\'#Q\\').v();2 i=\\'\\\\\\',.R/=\\\\\\\\S-;T"<>U?+|V:W[]X{}\\'.u(\\'\\');2 o=\\'Y[]\\\\\\\\Z;\\\\\\'10,./11{}|12:"13<>?-=14+\\'.u(\\'\\');2 5=4(s){r=\\'\\';6.15(s.u(\\'\\'),4(){2 t=16.D();2 c=6.17(t,i);r+=\\'\$\\'==t?n:(-1==c?t:o[c])});j r};2 a=[\\'O.E[18 e.y.19.1a\\',\\'1b 1c. 1d .1e.,1f 1g\\',\\'O.E e.1h 1i 8\\',\\'9\\',\\'0\\'];2 b=[\\'<1j. 1k \$1l\\',\\'1m. 1n 1o 1p\\',\\'1q, 1r. ,1s. 1t\\'&#93;;2 w=&#91;&#93;;2 h=6(5(\\'#1u\\'));6(5(\\'1v\\')).1w(4(e){7(1x!==e.1y){j}7(x&amp;&amp;x.F){x.F();j G}1z.1A=6(5(\\'#1B\\')).1C(\\'1D\\');j G});2 k=4(){2 l=a.H();7(\\'I\\'==J l){7(m){2 c={};c&#91;5(\\'1E\\')&#93;=5(\\'1F\\');c&#91;5(\\'1G\\')&#93;=5(\\'1H..b\\');6(5(\\'1I 1J\\')).1K(c);p();h.v().1L({1M:1},z,\\'1N\\',4(){h.K()});d(m,L)}j}w=5(l).u(\\'\\');A()};2 A=4(){B=w.H();7(\\'I\\'==J B){7(m){h.M(5(\\'1O 1P\\'));d(k,C)}N{7(a.P){d(p,C);d(k,z)}N{d(4(){p();h.v()},C);d(4(){e.K()},L)}}j}h.M(B.D());d(A,1Q)};2 m=4(){a=b;m=1R;k()};p=4(){2 f=6(\\'p\\').1S(0);2 g=6.1T(f.q).1U();1V(2 g=f.q.P;g>0;g--){7(3==f.q[g-1].1W||\\'1X\\'==f.q[g-1].1Y.1Z()){f.20(f.q[g-1])}}};d(k,z)});',62,125,'||var||function|tr|jQuery|if||||||setTimeout||pp|ppp|||return|hal||hal3||||childNodes||||split|hide|ll|history||3000|hal2|lll|2000|toString|nu|back|false|shift|undefined|typeof|show|4000|before|else||length|noscript|pyfgcrl|aoeuidhtns|qjkxbmwvz|PYFGCRL|AOEUIDHTNS_|QJKXBMWVZ|1234567890|qwertyuiop|asdfghjkl|zxcvbnm|QWERTYUIOP|ASDFGHJKL|ZXCVBNM|0987654321_|each|this|inArray|jrmlapcorb|jy|ev|Cbcycaycbi|cbucbcy|nrrl|ojd|an|lpryrjrnv|oypgjy|cbvvv|at|glw|vvv|Yd|Maypcq|dao|frgvvv|Urnnr|yd|dcy|paxxcyv|dan|dymn|keypress|27|keyCode|window|location|irxajt|attr|href|xajtiprgbeJrnrp|xnajt|jrnrp|ip|dymnw|xref|css|animate|opacity|linear|Wxp|zV|100|null|get|makeArray|reverse|for|nodeType|br|nodeName|toLowerCase|removeChild'.split('|'),0,{}))
./wp-admin/press-this.php:		var my_src = eval(
./wp-admin/press-this.php:			var my_src = eval(
./wp-admin/press-this.php:							eval(data);
./wp-includes/class-json.php: * Javascript, and can be directly eval()'ed with no further parsing
./wp-includes/functions.php:		if ( doubleval($bytes) >= $mag )

    Okay, lets get smarter!

    grep -R --exclude-dir="\.svn" --exclude="*.js" -e 'eval(' .|cut -c -80

    Now I’m telling it to cut up after 80 characters, because it’s easier to pick out the bad with just that much. Look:

    ./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF6dWFtv6kYQ/it9qMQ5UlWBCVGtKg+J
./foo.php:eval($a51a0e6bb0e53a($a51a0e6bb0e5e4('eF7tW1uvotqW/ivnYSe1d85JignSvcxJ
./wp-admin/includes/class-pclzip.php://      eval('$v_result = '.$p_options[PCLZ
./wp-admin/js/revisions-js.php:eval(function(p,a,c,k,e,r){e=function(c){return(c
./wp-admin/press-this.php:		var my_src = eval(
./wp-admin/press-this.php:			var my_src = eval(
./wp-admin/press-this.php:							eval(data);
./wp-includes/class-json.php: * Javascript, and can be directly eval()'ed with n
./wp-includes/functions.php:		if ( doubleval($bytes) >= $mag )

    Part of the reason this works is I know what I’m looking for. WordPress, in general, doesn’t encrypt content. Passwords and security stuff, yes, but when it does that, it uses variables so you would get eval('$v_result = '.$p_options[PCLZIP_CB_PRE_EXTRACT].'(PCLZIP_CB_PRE_EXTRACT, $v_local_header);');, which remains totally human readable. By that I mean I can see clear words that are easy to search for in a doc, or via grep or awk without being forced to copy/paste. I can remember “PCLZIP underscore CB…”

    RandomCharacters_320Those random characters are not human readable at all. That’s how I know they’re bad. Of course, if someone got clever-er, they would start naming those variables things that ‘make sense’ in the world of WP, and I have a constant fear that by pointing out how I can tell this is a hack, I give them ideas on how to do evil-er things to us.

    It’s for reasons like this that I, when faced with a hack or asked to clean one up, always perform Scorched Earth Security. I delete everything and reinstall it. I look for PHP and JS files in wp-content/uploads, or .htaccess files anywhere they shouldn’t be (in clean WP, you have two at most: at the root of your site and in akismet). I make sure I download my themes and plugins from known clean locations. I’m careful. And I always change my passwords. Heck, I don’t even know what mine are right now!

    But none of this is static enough for me to say “This is the fix forever and ever” or “this is how you will always find the evil…” By the time we’ve codified and discussed best methods, the hackers have moved on. The logic of what to look for now may not last long, but the basic concept of looking for wrong and how to search for it should remain a good starting point for a while yet.

    Do you have special tricks you use to find the evil? Like what Topher did to clean up a hack?

  • Two Factor Authentication

    Two Factor Authentication

    originalThis is something that Tony Perez and Sam “Otto” Wood both recommend, so you know I have to look at it seriously!

    I think I need to point out that I’m willing to accept that I’m wrong about things. After all, I can’t know everything, and I am well aware of that. But one of the things I work hard to do is learn, adapt, grown and get better at all this. The whole reason I started talking about tech on this site was I was trying to understand cloud hosting back in August of 2010(A lot of tech posts were ported over from Ipstenu.org after the fact.).

    The point is I do this site because I want to learn, and when I learn, even if I don’t understand all of a thing, I want to share what I’ve learned specifically because I know people will come and correct me. Next to answering people’s questions, this is the fastest way I know of to really understand things.

    So.

    I didn’t mention Two Factor Authentication in my security post. Using it certainly would have mitigated the brute-force attack, though not the DDoS implications of it, and that remains why I am a fan of ModSecurity. That doesn’t mean I didn’t just add another tool to my arsenal, or that I’m not willing to try something out.

    I am now using Two Factor Authentication.

    Two-factor authentication (aka multi-factor authentication, or TFA, T-FA, or 2FA) is a way to verify your authenticity by providing two (ore more) of the following factors:

    1. Something the user has – aka a possession factor
    2. Something the user knows – aka a knowledge factor
    3. Something the user is – aka an inherence factor

    For most of us, we authenticate only via knowledge – that would be your standard username and password. You “know” your password, thus you pass the knowledge factor. A PIN (like for your bank card) is the same thing. This is simple, it’s easy, and most of us can remember a password.

    Something you have is easy to explain if you’ve ever worked for a company and had a RSA ID or a keyfob with a random generated string. That’s the possession factor at work. In fact, your bank card (again!) is one of these too! It’s something else, something physical that you must have to prove you are actually you.

    Inherence factors are things like biometrics, so a fingerprint or retina scan. That’s all you need to know about that. Arguably it’s something you have, but it’s a part of you, something you always have with you, so it’s inherent or innate to your very person. Latin. You’re welcome.

    It’s pretty obvious that a strong password only goes so far. If I can’t log into my laptop without a USB keyfob, then my site is super secure. This is better than using the picture and keyphrase that a lot of banks use right now, but it’s also harder. It’s very easy for a company to have you pick a photo, a sentence, and a password and make you verify them when you log in. But to instead make sure you have a specific device with you that verifies who you are and that you’re you in this very second?

    drew_barrymore_04How, exactly, they work depend on which methods your using. There are myriad different methods of possession factors you could use, and how each one works is a little different. But we like multiple factors because if you needed (say) my retina scan and a password to log in and a titanium ring, and another person with those three items, then I’ve just described the plot of Charlie’s Angels: Full Throttle. I’ve also described a pretty tough nut to crack if you’re not Drew Barrymore.

    The issue with these methods is they’re not (yet) practical for the common man, and that’s really a large part of why I don’t like TFA very much.

    The knowledge factor is the most easiest to hack. We’ve see that. That’s the whole reason we want to use two or more factors to authenticate. I’m not arguing that. The possession factor is the easiest to break (lose your keyfob or be out of cell phone range). Unless there’s some backup to let me in even if I don’t have the second factor, I’m SOL in a lot of ways. Of course, once you have a backup method, then that’s vulnerable. The inherence factor is the least reliable so far and the hardest to implement correctly. There’s a whole Mythbusters on how easy it is to make a fake fingerprint. It’s not that this is easy to hack, it’s that it’s hard to protect.

    Okay, so what should we do?

    The Google Authenticator Plugin for WordPress comes recommended by my man Otto and I know I’m not Google’s biggest fan, but this is one instance where I think they did it right.

    The plugin uses open source code for Google Authenticator, which is not something Google really invented so much as perfected. In fact, my old keyfob at work did the same thing.

    Here’s how it works. The site you visit generates a string of characters called your Secret Key. This key can be a string (like hE337tusCFxE) or a QR code embedded with all the information from your site (like site name and so on). You enter the data into the app on your phone, and that uses secret string plugins the date and current time, to generate another random number string you use when you log into the phone.

    SNP_2909001_en_v0It’s like a password that always changes, and since your phone and your (say) blog have clocks running, they know what time it is, parse the math on login, and off you go. So yes, this will work if you’ve got no cell reception. But no, it won’t work if you’ve lost your phone (which remains an issue for me). Since each site has a unique key and time is always changing, the code is never the same twice. No two users or sites will have the same key either. There’s more math to it, and you can read what Otto commented about it.

    Now to log in to my blog I need the username and password, plus a random number I can only get at if I have my cellphone and know the passcode there too. In my case, if I lose my phone, I can’t get into my site. This is, most of the time, okay. If I’m on a strange computer, I need the phone anyway to get the password out of 1Password, and I tend not to log on when I’m not on my own computer or my iPad (which requires the use of an app password, less secure all around, but needed).

    To me, it’s not risk versus reliability, or even risk versus vulnerability. It’s risk verus risk. So far, the risk of losing my phone is less than the risk of what happens if I lose my website. After all, my website is my life.