Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: administration

  • Common IT Answers

    I actually have this sitting on my desk at work. It’s so old that the fluid has evaporated enough that it doesn’t work right anymore. But I keep it and use it. What is it? A magic 8-ball of tech support! Many moons ago, our CDW Vendor gave my boss a Magic 8-Ball for programmers showing the answer “IT’S NOT A BUG – IT’S A FEATURE”. The top of the ball says “For your most commonly asked IT requests.” Some of the answers are blatant CDW adverts, but the rest are answers I know I’ve used at least once:

    • Did you press the right button?
    • I can’t test everything
    • It worked yesterday
    • It works like I programmed it
    • It works on my machine
    • It’ll be fixed in the next release
    • It’s a Beta – What did you expect?
    • It’s an unlikely coincidence
    • It’s just an isolated incident
    • it’s not a bug, it’s a feature
    • It’s not supposed to do that
    • Please submit a formal request
    • Plug it in
    • Program works. Must be user error
    • Reboot
    • Someone changed my code.

    Sadly, the thing is dying. I may have to learn how to make a new one, since right now it’s stuck showing me a corner instead of a face.

    I’m not the only person who uses these, though. Eric Mack did as of 2004!

  • CAPTCHA Isn’t Accessible

    CAPTCHA Isn’t Accessible

    I’m just going to start this with a possibly startling fact. PWNtcha can break 90% of known CAPTCHA algorithms. If that doesn’t tell you why they’re totally useless, then I don’t know what will.

    It’s no secret that I detest and will not use CAPTCHA on any site I build. I have a math-test on one site where I get a lot, but that’s as far as I’m willing to get into that world. People often ask me why I hate it, and I tell them that it doesn’t work and it’s bad for accessibility. The fact that it doesn’t work is proven by PWNtcha pretty well, but the concept that it’s bad for accessibility seems to be lost on a lot of people.

    Screenshot from Star Trek episode 'Wink of an Eye' where Kirk is ordering dinner from the computer CAPTCHA stands for Completely Automated Public Turing test to Tell Computers and Humans Apart. In the begining, it was a great idea. The computer world had just started to try and make AI, and the first attempts at that on the Internet was to put little bots out that talked to people, asking and answering questions. That, in itself, is pretty damn cool, I agree. With working AI, we’re one step closer to ‘Computer, I’d like a bottle of Chateau Picard’s chardonnay, chilled to 68 degrees Fahrenheit, and play some Barry White at volume level 3.’ (illustrated to the right). AI is a great concept. But. What we actually got was people thinking ‘Wouldn’t it be cool if I made something that listened for key phrases and told them about my cool product?’ Basically, spam.

    An early defense against spam was that you had to enter a CAPTCHA code, which showed a picture with letters and numbers, and you entered those letters and numbers into a text field. The magic CAPTCHA verified they were the same and let you in. Pretty cool, right? Except that if there was a way for CAPTCHA to compare the image to the text you entered, then there had to be a way to reverse engineer that so a spam bot could read and enter the same code. Ever since then, it’s been an ongoing fight to make a better mousetrap.

    See, a human can easily read CAPTCHA like these:
    captcha examples that don't matter, suffice they're readable by most sighted people

    But the best ones, the ones that can’t be solved by computers, the ones that even PWNtcha says will last for a long time, are ones I look at and wince:
    captcha examples that don't matter, suffice they're totally unreadable by most sighted people

    Clearly if you make it good enough that a computer can’t crack it, you make it harder for a human to be able to understand it. In that one moment, anyone who has limited vision can’t access your site. Which means you’ve lost a visitor. If this is your business, you’ve lost revenue. And if you think there aren’t a lot of people that this will keep out of your site, think about how many people you know with some form of dyslexia. Think about how many people over the age of 40 (the age at which most of us need reading glasses) visit your site. Even if you run a trendy under-30 store, grammy may want to buy junior a new hip shirt. And don’t even pretend that older people don’t matter. Remember how long ago you were in College? Yeah, you’re getting older too, buddy.

    So they don’t work, they keep real people out of your site, and did I mention you probably don’t need it? I’ve been running ipstenu.org for a very long time (on Internet time – it’s been over a decade). I’ve had less than 20 spam posts show up on my site. None since I turned on comment approval (where I must approve your FIRST comment, but after that, you’re free to post). Akismet has caught about 50k spam posts. Bad Behavior’s caught even more (100k at last gasp) and only two ‘real’ people have ever complained about being caught (one had a virus, one had a bad firewall at school). Sure, if you’re Yahoo, you might need it, but did you know the ‘unreadable’ examples I used above were from Yahoo? Yeah. Google has a pretty basic, easy to read one, and so does Twitter. Facebook has too many, and they’re annoying. They actually probably don’t need them, either.

    Turn off your CAPTCHA. Your users will thank you.

    Continued Reading
    Inaccessibility of CAPTCHA – W3.Org
    It’s Official: Captchas Are Bad for Business – The ZURBlog
    Why you should never use a CAPTCHA – Online Aspect
    CAPTCHA Effectiveness – Coding Horror

  • Filtering Emails via cPanel

    Filtering Emails via cPanel

    Sometimes you get emails that you just don’t want to read. Maybe it’s a person you like who’s driving you batshit. Maybe it’s someone who’s actually harassing you. If you use Gmail, you can filter emails and they go into a folder or your trash-bin, and you don’t have to read them ever again! If you self-host, though, the steps are a little different.

    The first thing I do is make a new folder to hold these emails. I have some filters set up to auto-turf spam and viruses. But for people who harass me, I like to save their emails for review and reporting. Yes, I report them to the authorities when needed, and I save them so I can have their IP and routing info. Because of that, I have a built in folder on my email accounts for ‘Harassment.’

    Obviously you can teach your email client how to do this, and there are tutorials galore about how to get Mail.app, Thunderbird and Outlook to filter emails. But me, I like to have the filter happen before I open my email box, so I don’t have to even consider it.

    Once you’ve made the folder, go into cPanel and click on User Level Filtering. This allows you to make a filter per-email on your server. If you want to filter all emails for all emails on your account, there’s Account Level Filtering, which I use for the aforementioned spammers and virus senders. Also for all mail in non-English encoding. I’m hopelessly mono-lingual.

    Next, select the account you want to add the filter for. This one is pretty obvious, no?

    This screen will show you all your filters. I happen to have an existing one to filter someone’s constant requests for information. Since we want to create a new filter, click the Create a new Filter button.

    Now we’re getting started! Give the filter a useful name. I used ‘Harassment’ since I’m going to be adding in all the emails who harass me, and just dump them into one folder. The email I’ve added is one someone made up. It’s not real so don’t bother spamming it. There are a lot more options under the Rules section, but this one is pretty straightforward for me. I want all emails from jorjafox@gmail.com to be dumped into Harassment.

    Actions, which is just below the rules, is where you decide what happens. You can have multiple actions, the default of which is to discard the email. This means it gets deleted. You never see it. I don’t want this, I want to Deliver to Folder

    Once I’ve picked the action, I have to actually tell it which folder. This is where I pick Harassment.

    Put together, the whole thing looks like this:

    There are a lot more actions you can perform. One of them is NOT ‘Mark as Read’, which annoys me sometimes since my mail app will show my unread count, and I like to keep that low. I have no more than 10 emails, total, in my many inboxes at any one point in time, and the only ones unread are ones I have yet to answer or action (i.e. I have to do something before the email’s ‘done’). You can, however, add as many emails as you want. Just make sure you use OR and not AND for the emails.

    Once you’re happy with your settings, click activate and you’re done! Now that annoying person will be chump-dumped into a folder and stop cluttering your inbox!

  • Backup Your Data

    We all know this adage: Your data is only as secure as your last backup. But how do you backup? What do you backup? Where do you put it so that your data is safe, secure, and above all, accessible in a pinch? (more…)

  • Internet Anonymity and Impersonation

    If you’ve visited this URL, I know who you are. I know your browser, your IP, your OS, your screen size, how you got here, who your ISP is, what country you’re in, and really, that’s a lot of stuff. It doesn’t matter if you post on this site or not, I have a way to log who you are.

    Did that scare you? Well, it should and it shouldn’t. Every website on the net has this ability, and some are more honest about what they do with that information and some are not. I use it to optimize content for my visitors, and to block my current bevy of South African residents who are harassing me.

    Five years ago, I wrote an essay for my office about how people on the internet know who you are. The intent was to raise awareness in my co-workers as to how people knew who they were, and what actions made them obvious to site-runners that they were who they were.

    Someone asked me once if it was possible to be anonymous on the net, and I told him, seriously, “Sure, don’t log in.” Expecting to be able to be truly, 100%, anonymous is like expecting to be able to come to someone’s house and never tell them your name or show them what you look like. They’d kick you out, have you arrested, or worse. A website is a house, and the same basic rules apply. You’re a guest.

    If you run your own website, be it a small, weird blog about everything, a tech blog, or a fansite, you have people who come by and will eventually be a dick. This is just a constant in life. But that means you have to keep an eye on your site, upgrade it to keep out the ones who want to hack, and find ways to keep out the ones who just want to be trolls. I’ve written a couple plugins (Ban Hammer and Impostercide) to help me with that, but at the end of the day, no plugin can be as smart as your own brain.

    Recently, in the Impostercide comments, someone asked me if Impostercide could stop anonymous users from impersonating each other. And the answer is no, no it cannot. See, Impostercide (and any similar plugin) needs to check against a list, and really, all you have is the list of members. So if someone anonymous tries to use a members email or login handle or URL, well that’s easy to catch! Sure, some people might have the same URL, but that’s pretty unlikely unless they’re running a business together… Like Ron and Andrea. I may want to rethink that part, now…

    Anyway, the point is you have to have something to check against. Anonymous users aren’t registered, so the only ‘check’ you have is IP address. In theory, you could jigger the check to say ‘If the user ID/email has commented before, check to make sure the IP is the same, and if not, flag it as bad!’ Except that wouldn’t work, since, for example, I login with multiple IPs. The world is just too mobile for that to work in any decent automated fashion. Instead, you need to use your brain.

    As a site runner, when I see a questionable comment, I make a note of the IP address first and then the email. If it’s a specialized domain (like ipstenu.org, something personal), I go to the site and check it out. If the site looks legit, I match the IP. Does it come from the same general region as the website? Does it come from the same general region as where the website says the person lives? If it’s someone I’ve seen around my sites before, does it sound like their other posts? Does the language match their website? Do they post on forums I frequent and sound like they normally do? You’d be surprised how easy it is to notice when someone doesn’t sound right. There will be an odd turn of phrase or a strange typo.

    I’ll give you a true example.

    I have a sort of twitter stalker/idiot, who pretends to be a famous person, and kisses up to me and asks I verify her celeb account as legit (this is because I run a fansite for said famous person, and I met her once). Recently she posted on my fansite blog. Her comment immediately was flagged by my moderation filter, because it was a new post from a new email address. I do this for all new comments on all sites I run. And even then, if I approve a post I’m not sure about, I manually put it in the moderation list for a while.

    What my idiot, apparently, did not know, was that when you post to a blog, it records your IP address. I looked up the IP, since someone who’s purportedly a celebrity should come from, oh, perhaps the general Los Angeles area. Or maybe her agency. But no. It’s from South Africa. South Africa happens to be where another twitter account, one that regularly harassed and insulted me, was located. In fact, if I went to that account’s twitter page, right there under location it says ‘South Africa.’

    Armed with that information, I opened up the fake celeb and the troll twitter pages, side by side, and matched time-stamps of tweets. Oh look. All tweets are roughly around the same timeframe (hours that are pre and post school for South Africa, but weird for someone in the USA).

    The lessons to take from this are simple. First is ‘Never piss off the sysadmin’ but only slightly less well known is this: If you’re going to pretend to be someone else, you need to be really good at hacking the internet, in order to hide who you actually are. And if you think someone’s being impersonated, well, it’s pretty easy to double check and follow up. If someone contacts you and says ‘Hey, that’s not me!’ follow up right away and assume they’re them. Kill both comments and email asking ‘which one’s you?’ But err on the side of caution.

    If you’re a commenter, use your brain. Never assume the person running the site doesn’t look at your data and make some snappy deductions from it.

    For a site runner, remember there is no better weapon to fight impersonators on the internet than to use your brain and think things through logically.

  • What is Cloud Hosting?

    This came up because I’m considering moving to cloud hosting. I don’t have to, yet, and since it’d cost me an extra $25 to $30 a month, I’m not planning on it just yet. (Actually, it would be pretty much WHAT I pay now, if I drop cPanel, which is an extra. But for the extra $20 I get ‘cPanel + Fantastico as well complete support of base operating system and all cPanel services. Proactive service restoration is provided.’ I don’t care about Fantastico (and tend to uninstall it), but the base OS support is useful and cPanel just makes life easier for me. Yes, I’m lazy.) But wrapping my head around the ideas behind cloud computing was a weird trip.

    A few years ago, I had a job as a Citrix tech, which meant my job was to take software normally installed on your PC, install it on a server, and somehow trick the PC into thinking ‘When I run Word, it’s actually running on this distant server, and not my desktop, but everything pretends it’s on the desktop.’ This was called a thin-client deployment, because the client (i.e. the PC), only has to have a very little bit of processing power to run things like Adobe Photoshop. By the way, fat-client means ‘everything runs on your desktop.’

    For the really old hands at this, you’ll remember when all PCs were just dumb terminals that connected to the mainframes, and you ran everything off the mainframe. Guess what? Thin-client stuff is kind of the same thing. The programs you run via thin-client basically only exist when you run them. The rest of the time, they’re not available on your PC. This is good and bad. It’s good, because a company can save millions by pushing out low-end, weefy desktops to everyone. It’s bad, because they then have to turn around and spend the millions on the servers and the network. If the server or network goes down, no one gets to work.

    What does that have to do with cloud computing? Cloud computing takes the thin-client idea of ‘on demand’ usage to a new level. Right now, ipstenu.org lives on a server (a VPS to be specific) with four other domains. I pay a flat fee for the server space, a specified amount of bandwidth, a limit of CPU, and some IP addresses. With cloud computing, I would pay a flat rate for hosting, but if I need more CPU, I can easily get more by clicking a button. And when I don’t need more? It goes away.

    Suddenly my server is able to adapt! It scales up and down on an as-need basis. Think of it like your heating bill. In the summer, when you don’t need it, the cost per month goes down. In the winter, it goes up. And unlike the gas company, you don’t pay more during winter because it’s a set, year-round rate. Woo! Or, as the video I’ve linked to below would say, it’s like a Tax. The meter keeps running at stoplights, but it runs slower, so you pay less.

    Now I will say the math for all how much all this costs, sorting out what you need, is a bit heinous. I ended up chatting with my webhost about what I would need, based on my current usage. They have their own traditional webhosting setup as well as a cloud service, and since I adore them to no end, I decided it would be smartest to just ask them about it. Yes, it would be a hassle to move everything, and likely my subversion stuff would break and need to be re-installed, but it’s definitely a better bang for my buck than to use something like a dedicated server.

    There are downsides to all this. The biggest one is security, which panics a lot of people. On cloud computing, you’re back to the same sort of place you were for shared hosting. When you need more CPU, you get another ‘slice’ of the cloud (it’s a mixed metaphor, sorry). The slices still need servers to run on, obviously, and each webhost has the option of slapping together a bunch of servers quickly and poorly, or doing it the right way. And, sadly, a lot of webhosts are leaping into the cloud without looking, shoving servers together, and not thinking about security. To those people who worry, I remind them that cloud or not, your server’s security has always been about your webhost.

    In August of 2010, it was determined that Network Solutions (a big webhost) had over 500,000 compromised websites. Reported on by Armorize Blog, they proved that any time you made a parked domain, Network Solutions put a widget on your site that served up malware and could infect PCs. This was a default widget, something that showed up if you didn’t check any boxes, on newly registered domains.

    From the horses’ mouth, Network Solutions spokeswoman Susan Wade provided this statement when asked for comment: “Regarding the widget incident from the weekend, our security team was alerted this past weekend to a malicious code that was added to a widget housed on our small business blog, growsmartbusiness.com. This widget was used to provide small business tips on Network Solutions’ under construction pages. We have removed the widget from those pages and continue to check and monitor to ensure security. Reports of the number of pages affected are not accurate. We’re still investigating to determine the number impacted.”

    Basically, Network Solutions own website was hacked and shot a ton of other sites.

    You want to complain about cloud being insecure, go ahead, but remember that your security depends on your host being a good soldier, same as always. WHich is why I recommend LiquidWeb and their Storm On Demand Hosting.

    The other thing people complain about with cloud is they can’t touch their physical server. Personally, I don’t care. The virtualization of data is a big thing, and most people actually never see their server. Mine’s somewhere in Michigan I think. Making backups isn’t easier or harder with a cloud, so you can still have a good backup of your data for emergencies. Everyone should have a backup.

    Should you move to cloud? If you’re on a VPS and starting to get too big for it, then yes. The cost is a good reason but also you’re just going to get more flexibility. If my server needs grow (which is to say, if I start crashing the server again), I’ll be moving to cloud for sure.

    Still confused? Watch this video and it will explain it in a very straightforward, amusing, manner: