Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: essay

  • Don’t Be Afraid of Looking Foolish

    Don’t Be Afraid of Looking Foolish

    If you’ve ever watched baseball on TV (which is rare for me, I prefer the radio), you may have seen some of the most incredible faces that athletes make. This is Pitcher Jared Weaver of the LA Angels:

    Pitcher Jared Weaver, LA Angels

    He looks crazy, doesn’t he? He’s also an insanely good pitcher. He can make a ball do things just by changing how he holds it or points his elbow. It’s a gift. It’s not really a useful one to a lot of people, but it’s certainly not something I can do. He doesn’t worry about the silly faces he makes (I hope) because he can see the results are worth it.

    One of my most popular tweets ever is this:

    Everyone screws up code, no matter how awesome a professional you are. Accept it.

    When I wrote it, I was laughing at myself for seriously bolluxing some code and pushing it live too soon, which happens to the best of us. I knew I messed up as soon as I saw the first error report, and pushed a fix right away.

    What I didn’t do was worry about how it made me look.

    Oh don’t get me wrong, I knew it looked bad, and it was embarrassing, but I’m not afraid of making mistakes. I didn’t let the fear of looking bad stop me from trying something new and experimenting and making a change. I knew there was a chance to end up with egg on my face, but I knew there was also a chance I would make everything perfect and ‘save the world.’ Or at least make my code awesome for more people.

    We’re going to mess up. We’re going to make mistakes. We’re going to break things. While we try hard not to do that, the glory, the hero within us comes to play not when we’re perfect, but when we recover. Mistakes will be made, accidents happen, and you will screw up.

    What will you do when you make a mistake?

  • The Mindset of Security

    The Mindset of Security

    I talked at WordCamp LAX this year about KISS Security, keeping it simple and being aware of what it is you’re doing. Because security isn’t about the right passwords, and upgrades, and plugins, and .htaccess, it’s about you doing what’s right. And in fact, while I did mention some plugins, some features on servers, and I certainly was willing to give my advice and opinion on them, I don’t recommend one security plugin over another. Instead, I talked about the mindset of being secure.

    Don’t be stupid

    My mother is one of the few people I know who has almost completely conquered the will to be stupid.

    Miles Vorkosigan on his mother, Cordelia Naismith Vorkosigan
    Brothers in Arms by Lois McMaster Bujold

    If I can not be stupid, then I can be secure. Sounds easy, but ignorance is the lynchpin of stupidity, and you must defeat that first. But they’re not actually stupid at all. They’re just uneducated and this whole WordPress thing is new, and the security stuff is scary.

    With that in mind, I aim more towards education when I help people. When I debug a site, I send the customer a two-fold email. The first is the tl;dr stuff. “You were hacked because you’re on WordPress 2.6 and your theme and plugins had backdoors due to old, vulnerable code.” That’s the easy part. Then I explain in detail how I found the hack, why it was a problem (like did you know inactive themes can still be visited in your browser and, as such, are vulnerable?) and some details on how to fix it, even though I know they’ll still make mistakes. But I get them started with understanding what I’m looking for and why I think it’s bad.

    Bald Eagles are Vigilent

    Use Common Sense

    The reality of security is that we’re all ignorant, at some point in time, of what we’re doing, of what it means. Identity theft can go on for years because people don’t monitor their credit card statements. We get ripped off by not checking receipts. We give away our credit cards without thinking. We all do dumb things in the moment and regret everything. We have 20-20 hindsight. And getting to the point where we don’t do that, where we think first, takes deconstruction of myths, education, and trusting your gut.

    Don’t Get Overwhelmed by the Hype

    Stop me if you’ve heard this one. “You’ll be hacked unless you install a plugin.” Or maybe this one… “You’ll be hacked because you installed a plugin!” It goes on and on. Should you upgrade? Of course! But do I think upgrading alone is the answer? Heck no! Upgrading, being concerned with plugins and themes, using good passwords… those are all important, but they’re not going to be the end all of everything. They don’t make you smarter, and that’s why I hate them. What they really do is make you lazy. You think that because you have them, you’re safe, and you stop being aware.

    Security Tripod

    I came up with that in 2010, the Tripod Theory of Security when it comes to websites. In order to be smarter about security, I have this pretty simple tripod theory.

    1. Your Webhost (server)
    2. Your software’s developers (WordPress)
    3. YOU (everything else)

    If everyone holds up their leg, the security of your site is locked down. If you have a responsive webhost, secure software, and good behavior, you’re going to be happy, the odds are that a WordPress upgrade never breaks your site, and you’ll be safe for a long time to come. Awesome! But as someone wailed at me at a barbecue, “How do you get to that point when you can’t CODE!?”

    Education

    The most simple answer is the most obvious. Know what you’re getting into with software. The plugins and themes you use are ones you should know about. Read the readme, follow the FAQ. Don’t be afraid to ask questions about features you want. But the best thing you can do is use your brain and think. When we grab code and don’t think about who wrote it, where it came from, and what it means, we open ourselves up to disaster, and we may as well be posting our passwords on the front of our websites. Taking that moment to be aware that hey, maybe a nulled theme is a terrible idea will save you.

    The biggest thing to do, though, is not to research everything to an inch of it’s life, but to stop and think. When we jump in to things without any forethought or awareness, when we ignore that nagging feeling of doubt, we run the risk of being stupid. Gas station sushi is still sushi, right? And sushi is totally awesome. Well. Yes. But it’s also a fast track to spending the rest of your day in the bathroom. And you know this. Your gut knows these things because of your experiences, and when they outpace your knowledge, that’s when we get those momentary blips of “This is a baaaaaad idea!” Listen to them. If it helps, picture a relative looking over your shoulder going ‘tsk.’ Admittedly, mine would be Taffy holding a glass of wine, saying “Don’t be stupid, Mika.”

    What I Look For

    Practicality matters, though. I can’t just say “Find code by a WordPress Core Developer and never worry a day in your life” because everyone can make mistakes. Instead of looking for perfection, I look for behavior. I want to see a developer is active, both in general and in the overall community. I want to see how they respond to people, either in the same terms and language they use, or if they’re always super-technical. I want someone who understands what they’re doing, even if they’re not always right, and I want someone who can balance out the need for fixes with the annoyance of an update every day.

  • The Great Internet Slowdown

    The Great Internet Slowdown

    Wednesday is the Great Internet Slowdown where websites all over the world are going to protest the cable conglomerates getting together to tell us how fast our internet can be to specific sites, when they want it to be fast or not.

    I’m going to do this one simply. You know how you can dial anyone on your phone, and it’s your responsibility to not dial up sex numbers if that offends you? The phone company doesn’t limit your ability to do that. It doesn’t stop you from sexting your ex at 2am when you’re drunk and that was a really bad idea, wasn’t it? They don’t tell you, as you dial a psychic, that you should dial this other one instead. No, they let you shoot yourself in the foot.

    Well that’s not how they want it to work on the Internet.

    Cable companies are spending billions to gut the heart right out of net neutrality and create fast lanes and slow lanes on the Internet. A company that pays them more will get their site loading faster. A company that doesn’t, even if it has superior products, would be slower.

    This isn’t about how quickly our cat videos load, it’s about the future of our ability to communicate, to learn, to create, and to rebel. It’s about the future of humanity.

    I know that sounds a little heavy handed, but it’s true. The ability to use the Internet for communication is massively important. I work with people all around the globe, I fix websites all over the place and I talk constantly with people everywhere. I need to be able to do this to succeed at my job. If cable companies get their way, it might make it impossible for products like WordPress to develop as quickly as it does today.

    It’s already hard enough, with nations putting up firewalls and blocks preventing China from reaching Google for fonts, to get things done. But now we’re letting companies you and I might not even use decide they know what’s right?

    Come on! Let me decide if I want to go to that site and talk to those people! It’s just like the phone, after all.

    If you’re on WordPress, grab the Cat Signal Plugin. You can install it and leave it on, it’ll turn itself on when needed.

    This is the battle for the net

  • The Internet is Down

    The Internet is Down

    When things were new and we used to dial in to a BBS on someone’s computer, what we meant by ‘the internet’ is down was pretty simple. Either our phones were down and we couldn’t dial out or someone else’s were down and we couldn’t dial in.

    A mischievous monkey on a net

    On August 12th, a network outage took my server ‘down.’ Now, trying to explain this on Twitter was complicated, since it’s a more than 140 character explanation. The situation was pretty basic. The internet pipe leading to and from my server wasn’t working right. But what did that mean?

    As I love to do, let’s step back and think about all the various ways your ‘internet’ might ‘break.’ It’s a fun thought experiment, and this is in no particular order.

    • Your home/work internet isn’t working and no one can get anywhere
    • Your device’s internet connecter isn’t working and you can’t get any signal
    • You’re in a place with no signal/wifi
    • Your firewall is preventing you from accessing a site
    • The server that houses site you’re trying to visit is offline (or on fire)
    • The site you’re trying to visit has a code error and nothing loads
    • The DNS is wrong for the site
    • The nameserver is wrong/changing (mea culpa)
    • The internet connection from the site to the rest of the world is down
    • There’s a problem in between you and the site

    That list is incomplete. What happened to me on the 12th was the last one, however, and it was caused by something particularly weird that can be summed up as this: We finally hit 512K BGP routes on the internet today and ran out of room.

    https://twitter.com/TheProtestBoard/status/499270694702972928

    Of course, what’s BGP is the next question. From Reddit

    BGP is a routing protocol that advertises routes externally, each large organization advertises some BGP routes at the edge of their network. Each edge device has a routing table with all the advertised BGP routes from around the internet.

    So think of it like a giant phone book, and we ran out of pages. Now before you get scared, not every router needs all the tables. Instead, most routers have the core ones everyone needs, and then they link out to other routers and tables for the rest. These tables act as giant maps for the entire Internet, and those maps are pretty damn big.

    A lot of routers, especially Cisco which I think powers most of the Internet, simply started dropping routes when they hit the 512k limit. That means you simply could not get from point A to point B, or in this case, you couldn’t get to your website from your ISP. I could, for example, get to my site on my phone and from my home internet, but not my office. Go figure. The routers had no idea how to find my domain.

    This isn’t something ‘new’ by the way. In may, the IPv4 routing table hit 500k routes and the prediction was we’d hit 512k no sooner than August, more likely October. Oops.

    As Otto put it:

    Everything was affected. See
    http://downdetector.com/ for example. All those blue graphs should usually
    be quite flat.

    Screenshot of DownDetector

    That’s AT&T. It was pretty much the same for everyone, though.

    The fix? Well systems engineers spent their August 12th reconfiguring their routers and in many cases upgrading memory, but it’s a practical limitation of the Internet. That isn’t a long term fix, either. Nor is IPv6. Oh, I should explain that too.

    Internet Protocol version 6 (IPv6) is the latest version of the Internet Protocol (IP). That’s your internet address, your IP. It’s possible to share them, like all my domains have the same one, and you can change them if you need to, but mathematically speaking there’s a limit to how many there can be, in addition to those routing tables. This gets worse when you realize that every single device on the Internet is assigned an IP address for identification and location definition. Your phone. Your iPad. You get the idea.

    There are improvements to the mess with IPv6. We’re using IPv4 for about 95% of the net right now, and the IP ‘blocks’ you get take up a lot of room. But with IPv6 the blocks will be larger and store more, so they’ll paradoxically take up less room. But it’s not a full fix. We’re going to have to come up with a better way to store the data for the tables, because things are only getting bigger.

    On the plus side, for the first time in a long time, when someone yelled “The Internet is broken!” they were actually right.

  • Getting Good Advice

    Getting Good Advice

    She was running a webstore on shared hosting without caching, and was upset it was slow. She was using only free products, no HTTPS, and was annoyed people said they couldn’t buy from her and that she could only use PayPal. She was angry that we couldn’t magically fix it.

    I sped up her site, improved PHP, and cleaned up some duplicate plugins. And then I asked “Have you considered a VPS?” She ranted that it was our job to make shared hosting better, even if it cost us more, because she certainly wasn’t going to invest in her business. So I complained, on Twitter, that people who use free/ultra-low-budget services for a business and are unhappy with performance get what they deserve.

    Then my buddy joked that Danica Patrick said it worked for $0.99! I joked back that he was taking web hosting advice from someone who’s selling skill is “I drive real fast!” As we tweeted, we elaborated it to how silly it was to take hosting advice from someone whose job it was to look pretty, drive fast, and only turn to the left.

    It’s funny to us because we know better. If I was going to ask Danica Patrick for advice, I would ask her how she managed to sell her image so effectively. I might ask her if I could learn to drive a race car from her. But asking her what the best setup was for running an ecommerce store? Hell to the no! It’s outside her expertise and I’d be a fool for asking her in the first place!

    Which brings me to my point. The advice you get is only as good as the people you get it from.

    That’s painfully obvious, right? To go old school on you, you shouldn’t ask the fish guy for advice about pork, you don’t ask the vegetarian for advice about lamb, and for goodness sake, you don’t use the marketing sales pitch as your only measure for what kind of host you need.

    Sorry, marketing guys.

    A Koala - which has nothing to do with anything

    Way back in the beyond days of websites, when we all used pure HTML and loved it, I was starting up a fansite. I had an idea that it might be moderately popular, so I reached out and asked some people who ran similar sites. I told them what I wanted to do, and asked who their webhost was, what ‘tier’ of hosting did they use, and were they happy? A wonderful woman named MadDog (I miss her so) was insanely helpful and sent me a breakdown of how much traffic she got, what her spikes were (our actresses were on the same TV show, this was helpful), how crazy the fans got, and then handed me a coupon for her host. “Use it or don’t use it. I get about $50 if you do.” (Spoiler alert: I did.)

    When I was looking at getting DSL back in 1999, I asked other people in my building who they used, why, and were they happy. Surprisingly a lot of people hated their ISP except one guy, Quinn, who told me what he used it for, why he paid as much as he did, and how it was worth his money. And he too said if I used his code, he’d get $50. Actually I think he got $150 and took me and my wife out to dinner.

    The point is this. I sought out people with a similar experience as I was expecting to have, such as living in the same building. I asked them how they used it, so I could see if their issues would be the same as mine. I asked them if they were happy, because I knew I’d been calling support at least once, and it would be nice to know how painful it would be. I did my research, myself, because it mattered to me.

    Your site matters to you. It behooves you to sit down, take stock in your goals, and research the options out there. We can’t always know where we’ll end up or how we’ll get there, but we can make the effort to find people who match our perceived direction and ask them a simple question. We can search for our peers and read articles they’ve written. We can ask them for recommendations. And in the moment those people take time to sit and answer your questions, you need to listen to them. You should thank them. You may even want to go out of your way to compensate them. Because they just gave you some amazing value.

    Would I host a business on low-end shared hosting? Sure. To start with. But as my business grew, I learned that I had to invest in order to reach my goals.

    And yes. I did.

  • Don’t You Give That Girl a Gun

    Don’t You Give That Girl a Gun

    His WordPress site was hacked.

    He’d reported it as a ‘slow site’ and the techs had done an amazing job helping him clean it up, but when it landed in my lap, I took one look at saw backdoors, permissions issues, and vulnerabilities galore. So I did the reasonable, responsible, fair thing. I reinstalled the files, I cleaned up the plugins, and then I saw his theme was behind a paywall, old, and, worse, no longer supported. So I removed the theme from his website (putting it where he could get it back) and switched him to Twenty Fourteen. Then I explained in a rather long email about how his site was hacked, how I determined it, and what he needed to do to get the theme back (basically download it again from the vendor).

    He was mad.

    He argued that I had broken his site and it no longer looked right. This was true. He complained that my service was deplorable because his site looked wrong. This is debatable. He groused that I had to put the theme back. This was not going to happen.

    old fashioned rifle on a wall

    It’s the service conundrum. If you know something’s wrong, do you leave it alone or do you fix it? When I see people post their passwords in public places, I delete them and use bold and italics to chastise them. When I see people doing dangerous things like editing core, I do the same. I try really hard to educate and warn people, so they can be protected from shooting their own foot off. So when I have a rabid customer telling me I need to let them do it … I don’t.

    My job is really to help people fix their sites, and that tends to mean my job is to debug and educate and provide options. But when someone has an abjectly wrong bit of code, like the bevy of people who had their old themes and plugins break when we upgraded them from PHP 5.2 to 5.4, I will regularly go that extra mile and fix the code. That doesn’t mean I don’t educate them, they usually get a quick lecture about why we upgrade promptly, but when someone’s that far off normal that their code won’t work on PHP 5.3, I assume they just don’t know anything.

    The worst part about it, though, is when they argue. They’ve asked you for help and advice, you provide it, they demand you fix it, and at a certain point… they’re just asking the wrong person. Your webhost is not your consultant. While many times we can and will fix the site, when it gets down to code that isn’t working, we can’t be expected to re-write all the code.

    Sometimes we’re going to be the bearers of bad news. Your theme is hacked. Your plugin is vulnerable. Your code won’t work on this server because of reasons. We’re never making an excuse, but we are trying to explain to you why things happen.

    Now I know I’m a little weird, because I think that everyone should be educated in how their site works. Not that I think they need to learn to code, but to understand what’s going on, in broad terms, means you’ll be able to help us help you fix your site. And with that, I expect people to actually listen to what the support techs say. We won’t always be right, especially not with WordPress which has infinite combinations of plugins and themes (it’s a mathematical impossibility to be able to be familiar with everything) but for the most part, we are all trying to learn to be better and faster at debugging.

    But. What do you do when the person you’re trying to help insists on hurting themselves? Like the person with the hacked theme, maybe you’re lucky and your company has a policy that once you know something is malware, you’re legally not permitted to reinstall it. But what if they decide to use a plugin that has a maybe backdoor, like an older version of TimThumb? How big a deal is that? Is it better or worse than helping someone do something that will absolutely kill their SEO?

    For me, it’s pretty simple. My company does have a no-malware policy, and I can fall back on that. When I volunteer, I often tell people “I will not assist you in doing something I don’t feel is right.” and I walk away. Because I feel strongly that I should educate you, but also that I should never enable you to hurt your site.