Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: essay

  • Reset the Net Gotchas

    Reset the Net Gotchas

    All my domains will not be HTTPS by the end of 2014.

    Sorry. It’s one of those things that just isn’t (at this time) something I can pull off. If I only had one domain and everything was subs, I could get one wildcard subdomain cert and be done with it. But with the number of domains I have it’s not feasible. Which brings me to what I think one of the major issues with our desire to protect the net is… But let’s step back!

    Yesterday, as you may have noticed, was Reset The Net day. It was a call to action, much like we did when we went dark one day.

    Now on this site, I’m using the Internet Cat Signal, which cleverly updates itself as I need to alert people to crap like this. The tldr is that the NSA is spying on us. I leave that plugin on all the time, it fires up when there’s something people need to know. It doesn’t slow down my site, and I hope it brings awareness to folks who otherwise have no idea about this stuff. About 75% of my traffic on this server can be described as people who don’t know about any of this.

    What have I done for this? The recommendations are to use HTTPS, HSTS, and PFS. Since HeartBleed, I enabled PFS. This is a non-logical sort of thing to do, in that few people seem to explain how to do it. On my box, which uses WHM, it was pretty easy. In my WHM Panel, I went to Apache Configuration -> Global Configuration -> SSL Cipher Suite. Then I picked the PCI Recommended suite, not the default, and rebuilt the configuration. Then I went to Apache Configuration -> Include Editor -> Pre Main Include and, for all builds of Apache, added this:

    # Enabling PFS
SSLHonorCipherOrder On
SSLProtocol All -SSLv2
# CVE-2011-3389
SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown

    The last bit lets me support any IE 6 users who visit my store. But as I said, I don’t have SSL on for all my domains. So what are my HTTPS issues?

    The cost is insane. Let’s look at wildcard ssl, which is what you want for *.example.com situations. It’s pretty much $100 a year. That’s not too bad until you factor in how many domains I have on this server. Six family members, six of my own sites (including short domains like helf.us). So that’s either $1200 a year, which is obscene, or $145 a year at the cheapest I could find, and that’s for the simple green lock and no wildcards. For the big green bar, it’s back to around $1000 a year. Oh and I forgot one of my domains, so that’s $164 and $1047. Now I could totally afford the $164 a year, it’s doable with my ad revenue (which pretty much breaks me even at the end of a year) but….

    It’s slower. Look, I get it how it’s important to be secure, but right now, the nginx proxy setup I’m using doesn’t work on HTTPS. That sets me back some since using it has sped up my site considerably. I know how to (and have) set Google Pagespeed to play nicely with HTTPS, so I’d be back to where I was before. This isn’t bad, it’s just not a great experience. Right now I have a secure login, secure email, a fully secure store, and ssh/sftp only, so the only place your data could get ‘sniped’ is when you’re leaving a public comment on my public site, which makes me less worried than I might be. Even my git repo is secured.

    Twig in a net

    Also it’s hard. And no, that’s not an excuse. PFS (Perfect Forward Secrecy) isn’t easy to add to your servers, and it’s way outside the realm of what most people can do. Hell, it’s outside the realm of what I’m comfortable doing. It took until my server had the specs for OpenSSL that will support PFS for me to do it. The point is, this part has to be done by the webhost for most people, and that is a big issue. It’s not easy or fast to upgrade servers, and it’s far, far more persnickety than updating WordPress. It’s complex, and you have to think about everyone on the server. Again, not an excuse, just a caution that it takes a while to finish up.

    Speaking of WordPress, multisite isn’t great at it. In fact, it’s less great than normal WP. I have two sites with SSL right now, ipstenu.org and store.halfelf.org. Ipstenu is only SSL on the back end, but even with that, there are inconsistencies. First, all the links are HTTPS, so when I click on “My Sites” the link to NON HTTPS sites are using HTTPS, which doesn’t work. Also if I made a new domain, it defaults to HTTP and not HTTPS. So I have to edit that manually. This is annoying, thought not insurmountable, and I know it’s something being worked on.

    In the end, the absolute biggest reason I’m not switching to HTTPS is that the only person who needs secure communication are the people logging in or the people buying things, and I’ve taken care of that. For the rest of you, know that my store is secure, my logins are secure, and if you’re commenting on the site, for god’s sack, don’t post anything you don’t want people to know!

    I’m sure in a few years if not months all this will change, but this is where I am today. The racket with SSL certs costing that much needs an easier solution, and then the rest will fall into place.

  • It’s a Piece of Cake

    It’s a Piece of Cake

    We’ve all bought furniture you had to put together ourselves. It’s the Ikea way, we can save money by putting in sweat equity, and get ourselves something less expensive and a little faster than waiting for it to be built and delivered and installed for us. Also we have a feeling of satisfaction. I felt that when when I hand-built my wood arrows for a slightly larger cost up-front but a lower one long term. It was worth not just the experience to me but the result.

    When it comes to working with new software, it’s much the same way. We come to it for all those reasons (price, desire to learn, speed) and many more, but we have to build up the experience in a product to have the comfort and expertise to become masters of it. See, by making my own arrows, I know more about how they work and how they’re put together and why certain things happen. The head of your arrow is too heavy because you used a heavier point? That explains why the drop rate is so high! The glue used to attach the point is uneven and heavy? That’s why it wobbles! I know how they were put together, now I have a cause/effect understanding to my arrows.

    Learning something new is always easier the second time. But when someone else tells you how to do it, you get the impression they feel that it’s as easy as pie. But it’s not to you. When I had to write a new plugin to act as a CDN for DreamObjects, I was frustrated. I threw the code out a dozen times, I burned it and started over, I forked and knifed and otherwise fought with things. And then, through all my frustrations, I finally understood and was able to write was was needed. When I went back to add a feature as requested, since I now understood how it worked, it was easy.

    Part of the issue is that the second time, you’re not creating new neural pathways, you’re just using the ones you’ve got. They may be newish, but they’re not created out of nothing, which means you have a chance to follow your own footsteps. Much of this is exactly why I blog a lot about how I do things and how they’re created. If I walk first, you can follow and go “I like this, but I want that…” and make a fork in the path.

    In and of itself, that’s how WordPress works. It’s made a pathway for you to ease your blogging and site maintenance, but it’s also allowed you to see the trail and blaze your own when you need, while still having some of the familiar inside. At the same time, when things go weird, or people want a new feature for WordPress, it comes back to the innovators and trailblazers to determine how to create something out of nothing.

    Skateboarder kick-flipping the board

    Code is art. It’s creation. It’s hard. When people say “It should be easy to do this…” I wonder if they’ve ever tried to follow a new recipe, or if they’ve forgotten what it was like to learn to master a new video game, or even driving. All the easy things have already been done. We’re into the world of the complex, much of which we’ve done to ourselves, where to add one new, simple thing requires in depth knowledge. We’ve raised the bar on the entry to new code, which is a problem we’re all aware of.

    But.

    Once you get over that bar, once you’ve done this one time, once you’ve designed one site, or edited one page in HTML, the next time is a little easier. You don’t lower the bar, you build a step to make it easier to jump that bar. Even if it’s learning a new email app, or how to use your phone. No matter how intuitive a thing is, you still have to learn it!

    So you have to keep trying and keep working until you too can say “It’s a piece of cake.”

  • Support Politeness

    Support Politeness

    I had a great time at WordCamp Miami, talking about becoming a WordPress hero and inspiring people to do more in WordPress even when they can’t code. I helped people figure out how to approach their favorite theme shops and plugins and suggest that perhaps they could fix documentation. I networked and met a lot of people who opened their eyes to opportunities. I told them the truth: companies ask me if there are more people like me to help answer questions.

    One of the off the cuff comments I made in my talk was that people think that support is the ‘low end’ of WordPress because that’s how they treat it. What I meant was that I see a lot of people look at support, dismissively, and say “Well that’s a low end job for dumb people who can’t code.” and honestly I want to grab them by their shirt and shout “You’re the dumb person!” I don’t, mostly because that would get me arrested, but also because it won’t help.

    Let me explain by telling you about my flights to and from Miami.

    I live by a tiny airport, and I always have to transfer at either DFW or ORD. I went through DFW on the way to Miami, but I almost didn’t. As we got on the plane, they announced there was a horrible storm and we were all de-planing. No flights were going to DFW. So we all started calling American (my airline of choice) about options, and the crew removed luggage. Then I overheard the gate agent say that if people did not have any checked luggage, including gate-check, they could get them on the next flight to DFW. I rushed over, asked if I could get on the flight, and had a ticket in my hand. I said thank you very much. So did the people behind me.

    When I got to DFW, I found the second half of my flight was canceled, so I went to the gate and asked about it. The gate agent was harried and I told her “You know what, take your time. Do you need me to step back?” She looked at me and asked if I’d mind ‘blocking’ for her, just standing there and acting as if I was being helped, so she could sort out other things. I agreed, and proceeded to say things like “I can’t believe how helpful you are, how dare you be so accommodating!” until she laughed too hard and made me stop. Then she pulled my information up and bumped me to a better seat. As she did so, they told her the plane had been diverted and she asked me not to tell anyone. I thanked her, agreed (though I told my family my flight was delayed), and we watched a tornado pass by.

    Cat on the floor, screaming

    If you can’t tell, I was nice to the people giving me support. I was polite, I treated them with respect, and I made sure to take a moment to tell them I appreciated their work.

    You see, the problem with support is that it’s low end because that’s how you treat it. Certainly, when I call Time Warner and tell them “My DNS tables aren’t refreshing, I can’t get to this domain, how do I refresh them on my modem?” and they ask me “Did you reboot?” I get annoyed. I make sure to tell them, exactly, what I did, I ask them how to do things I’m less familiar with, and I say thank you when they explain things. But when they ignore what I ask to follow their scripts, yes, I get frustrated. I appreciate what they do, but they created a situation where my service is problematic and my experience was sub par because the way they’re told to handle people is to follow a script.

    Let’s go back to airports. Sometimes things happen outside the control of anyone, like weather. When I was at ORD, my flight got grounded due to lightning on the tarmac. And when I say that, I mean we watched lightning hit the tarmac in front of us. It was a microburst storm, so we waited it out, boarded the plane, and then got hit by another storm. This storm was so bad, the whole airport was grounded for 6 hours. I spent four hours getting my flight sorted because all the flights were canceled. Did I get mad? Nope! It was not American’s fault all the flights got canceled, and it wasn’t their fault everyone’s calling to get help. When I finally got a hold of someone, I told her what happened and asked if she could get me home. She said she could get me on the first flight out and I said “Oh my god, I love you!” You see, I’d heard all these other people from my flight get multiple leg trips to our small airport, or not even to ours. And here I got an exit row aisle seat. I thanked her, and went to a gate to get my pass printed. When the gate agent did that, I said thank you for the extra work.

    That’s when something amazing happened. The woman beside me did a double take and said “That’s right! Thank you very much, we do appreciate this!” And people around us suddenly looked sheepish and started muttering thanks. A small angry group became calm and polite. The gate agents told us where we could get pillows and blankets, and when I went there, I also said thank you. The same thing happened. People around me stopped snatching pillows and complaining, and they started being humans again.

    I changed the feeling of support. I made the people helping me feel respected and needed, which they were. I made the people around me remember that these people were providing a service above and beyond the norm. I changed support from being a low-end situation to a valued service.

    When you deal with support, when you have a problem and ask for help, remember that. We know you’re having a terrible day. Take a moment to breath deeply, calm yourself, and thank the people helping you. When you treat support like crap, you get crap support. It’s as simple as that. I’ve been out with WordPress folks and seen them lose their shit on coffee barristas, and I’ve told them “If you treated me like that in the forums, I’d ban you.” It slaps them in the face, because they forget somewhere down the line that humanity is what makes us human.

    If you want more people like me in the support world, and I know you do, you need to start with yourself. Check yourself, treat people how you want to be treated, and when you read what they say, assume the best intentions.

    And say thank you. It will change everything.

  • C’mon Get Trac’in!

    C’mon Get Trac’in!

    After every major WordPress release I trawl the forums and look for new superstars. I usually find one or two people who, like I did five years ago, catapult themselves into the stratosphere by taking notice of issues of communication and correcting them. That’s how that OMGWTFBBQ post was born! WordPress 3.0 dropped with a lot of changes and people lost their minds. That’s the best part of a complex release.

    Screaming face in a muralThe worst part is people losing their minds in the wrong places.

    Oh there’s nothing wrong with going batty over a change or reporting something is broken. What’s wrong is when you go into a half-dozen similar posts and repeat the exact same rant. Much like the superstars who get noticed because they’re being helpful, when you spam-rant, you become noticed in a bad way.

    No release is perfect, and WordPress’ ideology of ‘Release and iterate!’ means that we know we’ll have missed something, or not totally finished another, and it’s not everything we want yet, but also that the fastest way to get ready is to get more people poking at it and breaking it. This means we know things aren’t perfect, but it doesn’t mean we ship broken code. Still, change breaks things, and some of those things are outside our control (like TinyMCE 4 changed how it implements a lot of things).

    Naturally though, big changes cause loud complaints. For people who shout and demand to know why we had to change, the problem is where they do it, not so much how and with what language. The where problem is that someone will post a rant in a bunch of similar posts, or create a trac ticket when they haven’t done any debugging.

    It’s pretty easy to remember that the support forums are not your personal soapbox to stand on and shout about how much everyone sucks (or is awesome, I know). The forums are a place to describe your problem and get help.

    So … How DO you know when it’s time to get trac-a-lacking and make a ticket, and when it’s not?

    Is it just you?

    A quick search of the forums will tell you if you’re the only one with an issue. If you see one or two other people with similar issues, read deeper. Similar is not the same, so just because you both have a white-screen-of-death on the post editor does not mean it’s the same bug.

    Did you do the needful testing?

    Have you tried:

    • flushing any caching plugins you might be running, as well as server and/or browser caches.
    • deactivating all plugins (yes, all) to see if this resolves the problem. If this works, re-activate the plugins one by one until you find the problematic plugin(s). If you can’t get into your admin dashboard, try resetting the plugins folder by FTP or PhpMyAdmin (read “How to deactivate all plugins when you can’t log in to wp-admin” if you need help). Sometimes, an apparently inactive plugin can still cause problems. Also remember to deactivate any plugins in the mu-plugins folder. The easiest way is to rename that folder to mu-plugins-old
    • switching to the Twenty Fourteen theme to rule out any theme-specific problems. If you can’t log in to change themes, you can remove the theme folders via FTP so the only one is `twenty fourteen`. That will force your site to use it.
    • manually upgrading. When all else fails, download a fresh copy of the latest.zip file of WordPress to your computer, and use that to copy up. You may need to delete the wp-admin and wp-includes folders on your server. Read the Manual Update directions first.

    (Can you tell I use that a lot?)

    Follow Trac

    Does it happen on a clean install?

    The best testers test on a test site. Even on my personal, I don’t code on it, laptop, I keep a copy of MAMP handy, as well as a pure test site on a live server. But I’m weird. Still, if you’re even considering making a trac ticket, have a test site and test it there before you click that ‘new ticket’ button. It may feel like an extra hurdle, but having that clean test will make sure you’re not losing your mind sometimes.

    Have you asked anyone else about it?

    I admit, this works better if you know people, but if you do know someone, just ask. I bug my coworkers sometimes “Hey, do you see this? No? Okay…” It helps me sort out if I’m being crazy or not, and sometimes just asking “Anyone know why I might get this error…?” gets amazing results. Again, this works best if you have a network already, so don’t worry about this too much.

    Hope you’re right…

    Even I don’t know if it’s right to make a ticket all the time. I hesitate over those buttons a lot, and often delete the whole thing. It’s not super simple to know, so you have to make your best guess.

  • How to Market Your Blog

    How to Market Your Blog

    I recently had a poll on my ebook store, asking people to vote for what I should write about. Someone suggested this: how to market your blog-best strategies and “no no’s”

    Friends Forever - PeaceFor a while, I looked at the suggestion with Reddit face. I’m not in marketing. I’ve never been in it, I don’t have the foggiest idea how one goes about marketing anything, and I don’t really care to. Why would anyone ask me to write about that? But then again, maybe they’re asking specifically because I don’t normally write about that.

    With that in mind, here’s how I market a blog, and it’s one really simple step:

    Know my audience

    You’ve got to know who you’re writing for if you want to sell it. If I’m going to be blogging about dog food, then I should take the time to learn about how dog enthusiasts act online. What kind of ‘fan’ blogs are there, what kind of official/professional sites are there, what sort of forums. I need to understand who they are, how they act, and what they expect. A blog for tech people will accept different design styles than ones for pre-teen books.

    A side-note to knowing who I’m talking to is knowing what they consider normal. Even if you think the current ‘trends’ on their sites are ugly as sin, you have to aim at them in order to be accepted. Similar but different. People don’t like big changes, and you may find yourself ignored. At the same time, being different is good, you stand out. Find that balance.

    But when I tell people “I know my audience and I write for that” it sounds at once insanely overly simplistic and bloody genius. The fact is that I’m not a marketer, so I don’t ‘market’ my site, I write good content, put it on a theme with good SEO (thank you Carrie Dils for your Utility Theme and StudioPress for Genesis), and the rest magically takes care of itself because what I put into the world isn’t my blog, but myself.

    I said once that Chris Lema doesn’t sell himself, he sells you on yourself. He liked that so much, it’s on his header for his blog redesign. Chris, I suspect, gets what I mean when I say I don’t actually market anything. See, I go out there, I find people who need help, and I help. I spent time without really meaning to building up a rep of being helpful and knowledgable and understanding because I have some skills that were perfect for my audience. Not only do I know them, I am them!

    What’s on this site is essays, how tos, and ebooks. I sell the books based on the attraction from what I do in the world. See, Open Source is weird. We put stuff out there for free, and then people pay us for other things they can’t do themselves. It’s like how I tell my coworkers to ‘sell’ people on our managed hosting. It’s a question of where people want to spend their time. I like playing on the server, my wife doesn’t. If she didn’t have me for hosting, I’d actually tell her to get managed hosting from the start, because it lets her do what she wants to do!

    And that’s what you’re selling. That’s what you market.

    Dog walking another dog on a leashSteve Jobs was right when he said your customers don’t know what features they want. But don’t sell them or market them just because they’re features. Sell them what you are what you use. Tell them the truth. Market by representing what they could be, help them get there, and don’t sell ‘As Seen On WordPress.’

    We build in WordPress things we need. We should market them as that. “I needed this. Here’s how I did it so you don’t have to reinvent the wheel.”

    I’m Mika Epstein, aka Ipstenu. I know things you don’t because I do things you don’t, and I write about them for you to be able to do them even easier and faster. I know what it takes to learn because I learned. I know how to explain it because it’s how I explained to myself. I know who to talk to, because you’re my people.

  • So Your WordPress Upgrade Broke

    So Your WordPress Upgrade Broke

    I’m delving into angry-land here, so hold on to your hat.

    So. You upgraded to WordPress to a major release without testing it first, and broke your site? It’s probably your own fault. Bring on the stones and when you’re done, let’s talk.

    Ready to talk? Okay, you didn’t test. That’s why it’s at least partly your fault. This triples if the next words out of your mouth are “And my WordPress site is my life!” It quadruples if you say “My client sites broke!” It’s infinite if you broke your company site and you happen to be a WordPress based company.

    Picard and Riker (from Star Trek: TNG) facepalm

    But notice how I said probably? I can honestly say that 50% of the time my site breaks, it’s WordPress, not me, but I happen to run trunk without testing, which makes it my fault, not theirs. Seriously. I’m running trunk on a live site, which updates twice a day. I’m a little reckless. My life is WordPress, which makes me in violation of one of my own cardinal rules, but at the same time, the part of WordPress that is my life is supporting it, or breaking it and reporting it. For me, a broken WordPress install is one that needs my love to fix it, and I embrace that role.

    You’re not me. And in fact, neither is my dad or my friends’ sites that I host. For them, I have a couple options: Let them upgrade themselves, upgrade them automatically, upgrade them myself. I use all of those methods, in different situations and with each of those, what happens when they break? I will say this, for everyone but me, if I have a contract to manage their updates, I test the update first. To the fellow who complained he had 200+ sites to test, I say “Well, that’s your job.” You agreed to manage them, you better do it right.

    Telling people “Your site broke because you didn’t test.” isn’t an answer, though. It doesn’t explain why the site broke. The answer to that is a little more simple. “You have code that doesn’t work with the upgrade.”

    And yes, it’s really that simple. You have a plugin, or a theme, or an add-on to your server, that doesn’t like the newest version of WordPress. Now, it’s a struggle to fix one’s site at the same time as placating one’s customers/clients/visitors, because you’re in a race against time. This is why you have to do that usual testing with plugins off and so on. Complain all you want, there’s no way around it. Point out you’re not a coder all you want, that’s actually why this happened to you and not me.

    Tai Chi HeroWhat do I mean? Well I am a coder, so when I install a new plugin I review it first by looking at all the code. You’re not a coder, I hear, but you can still review the plugin by looking at the updates, the author, their contributions to WordPress, the support forums, and the size of the plugin. The larger a plugin, after all, the more chances to go wrong. I also like to check /wp-admin/credits.php and look for the author. If they’re there, the odds of them not knowing that there was a change in WordPress that impacts their code is pretty negligable.

    And this is how it works. It’s the addition of all things, combined to make a good, educated, guess as to the relative safety of your site. Good plugins that you’ve checked on, good themes ditto. Sure everyone can make a mistake, but good code makes fewer, good coders adapt well, and responsive coders react well. That’s the biggest thing. People will make a mistake and break your site, but if you use a theme were the developer is on the spot with patches and generally responds quickly (say, within 5 days), then you can be pretty sure that this developer knows when WordPress is releasing a new build, and that they should test Betas and RCs. That’s what you’re looking for.

    This is especially important if your site breaks on a MINOR upgrade. If your site broke going from 3.8.2 to 3.8.3, and you find out it’s a theme, stop using that theme. That’s really hard, I know. But it’s really serious. A theme or plugin that breaks on the minor updates is doing something really wrong, or is taking advantage of a vulnerability which makes it dangerous to use. That’s it. That’s the reality. Either code is really bad or it’s really unsafe.

    Neither of those things means the developer is a bad person. It just means they did bad code. We have all done bad code. We have all been the cause for bad and dangerous code, and we will all be so again. But again, it’s how we respond that makes us heroes or not.

    Look for the heroes. They stand out. Use their code.