Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: essay

  • Security: Do it the WordPress Way

    Security: Do it the WordPress Way

    Pretty regularly, people complain that I’m being pedantic and stubborn about security. They argue that their home-grown filters and regular expression checks are more than sufficient for sanitizing and validating data. Invariably I tell them “WordPress has a function for that. Please use it. Don’t create your own.”

    Most of the time, this gets a grumbling acquiescence. On the rare occasions it doesn’t I get a pretentious email telling me the developer has been working in tech and computers for 10 to 14 years (10 is most common) and they’ve released code before and they know what they’re talking about.

    You know what? You do. Most of the time the code you people come up with looks fine. But after 14 years working for a bank and around 7 of doing WordPress plugin reviews and nearly 5 of working for a web host, I’ve got a different point of view than you do. I have a mountain of experience that is hard to match. This doesn’t mean I’m the smartest person down the pike, don’t get me wrong. But I’ve seen a lot. I’m like that Farmer’s guy.

    We know a lot because we’ve seen a lot

    With all the things I’ve seen, I’ve developed a very different set of criteria for security beyond just “Is it secure?”

    I know the following:

    • Someone is always going to be smarter than I am.
    • Hackers are incredibly dedicated to being shits.
    • Users are incredibly inventive with usage.
    • People don’t look before they click.

    I ask the following:

    • Is this the fastest (most efficient) way to sanity check the data?
    • Is it being validated to prevent PEBUaK errors?
    • How easy will this be to fix when I find a problem?
    • How much damage will this cause if it breaks?

    To WordPress or Not to WordPress

    When I have a choice of reinventing the wheel or using what WordPress already sanitizes for me, I will always pick WordPress. Every. Single. Time. This is for a very practical reason.

    • People don’t upgrade plugins.
    • People do upgrade WordPress security releases.

    By default everyone using WordPress gets security releases and they get them within 12 hours (more or less). Yes, people can and do disable that, but they’re the minority. When you talk about securing 26% of the Internet, the ability to patch people quickly is paramount. WordPress knows this.

    If I’m using the sanitize_name() function from WordPress and not a hand-hewn regular expression, then if there’s a flaw in that function I know it will be patched and the patch pushed and my users made safe. If I make it myself, I have to pray everyone upgrades.

    Excellence Uses The Right Tools

    Think of it this way. If your plugin becomes a popular plugin and 2% of WordPress users use it, then that’s .5% of all sites on the Internet using your plugin. Which is better for them? Which is safer? Do you rely on the tried and true, tested sanitization via WordPress which will emergency self-update or your own code?

    Once you think of it not as “How can I make my code succeed?” but “How can I build trust for 27% of the internet?” it’s clearer.

    Rely on WordPress and not your own code whenever possible. It’s smarter. It’s safer. It has the long-term view to take you from a newbie to a well-known tool. If there’s a security hole in WordPress, everyone will work to fix it, and it will get out to more people than just your users.

  • You Are Not Your Code

    You Are Not Your Code

    This is not exactly what I said at WordCamp US 2016, but it is a great deal of it.

    I started my slides for WordCamp US so many times, I probably have enough content for a week of blog posts. The weight of what I was going to say there sat on my shoulders like I’m Atlas. Trying to dredge up the pain from the rejection and harassment I’ve felt over the years, all in order to write, reminds me of the carrion birds, ripping apart Prometheus, while he heals only to be torn anew each day, all for presenting humanity with the gift of fire.

    Perception: We Are What We Code

    Too often, when we think about our contributions to WordPress, we think of them in the literal terms. I have written code. I have fixed CSS. I have beta tested. I have created a plugin, a theme, a blog, a store, a book, a career. We make the fatal mistake of boiling down what we are to one thing. The contribution. The code.

    Reality: We Are What We Create

    We forget something crucial, that these creations are just that, creations! We have invented something out of nothing, purely with the power of our minds! We’re artists and dreamers and believers and builders. Anyone who’s studied art, music, journalism, knows that there’s a strange dissociation that we have to build in our hearts. The separation between what we create and who we are and what the reviews will be.

    We Can’t See the Forest For the Trees

    Artists are, often, seen as temperamental. Capricious creatures who fall to the whim of our desires and passions. People who obsess over one thing to the exclusion of others. Who trash hotels when frustrated. Who lash out. Who take the rejection of a bad review so closely, so personally, they cannot separate themselves from their art.

    If you saw my talk at WordCamp Europe earlier in 2016, or read my post about it, that sounds familiar. We, we contributors to open source, are exactly the same. Which is why it is hard, so so hard, to separate our hearts from our heads. We wanted to bring fire to earth. We wanted to share our joy. We wanted to do the right thing and change 26% of the Internet for the better. Give or take.

    Instead, we’re told our code sucks. If we don’t offer free help for our work, we’re called greedy and vain. Being driven to fix one part of WordPress is wasting our time, no one uses it. Creating new features? We should fix what’s broken, even if we don’t know how. We are pulled by a million masters, our users, and we can never do enough.

    And what about when our contributions are less visible? What about the people who spend hours making sure this WordCamp flowed smoothly? The ones who ensure funding? The one who fixed the inline documentation for core? The people in the support forums who help people for free? The people who review your themes and plugins and try and keep things fair for all. Oh, oh yes. I know that one.

    The problem here is that we all do things for good. Everyone you see at a WordCamp, everyone who is a speaker, a volunteer, a contributor, is doing this for good reasons. Maybe not entirely altruistic, we’re not all socialists and software communists like me, but I promise you, every single one of us who steps up and does things for the greater good of WordPress is doing so with the best intentions. We care.

    And they don’t see that.

    “Reputation is what other people know about you. Honor is what you know about yourself.”
    — Aral Vorkosigan in A Civil Campaign, by Lois McMaster Bujold

    One of the points I wanted to address in my talk was that there are a LOT of days when you know you’ve done the right thing, and your reputation tanks. While a lot of people here like me, appreciate my work, and respect me, I’m not so naive as to think that’s universal. I know very well that there are people who watched my talk, who read this blog, who dislike me for, say, closing their plugin or deleting their reviews. Or worse, not deleting a review.

    The Cost of The Greater Good

    I want to say the good of the many outweighs the good of the one, or the few. And there are days where you’re the one. You’re the 20% minority. These days, as my father taught me, will outweigh the ones where you are praised, thanked, lauded, and cherished. It’s the dark part of human nature. You will, you WILL do things for the best intentions, and you will NOT be appreciated for it.

    What you do when these things happen? Well you have choices, like I mentioned this summer. And there are downsides to each one. Otto, who’s somewhere around here, spends time talking me down from correcting people. I have a strong urge to “Well, Actually…” the people who insist I have evil in my heart and I’m power hungry. Other people listen to me vent a little. And sometimes I subtweet.

    But this is the part that hurts. You can’t win. It’s impossible. People won’t believe you if you defend yourself. They won’t accept your explanations, they’ll see them as excuses. Silence will be seen as proof they were right. Fighting back? A show of weakness or a cover up. There is, literally, no way to win it. Ever.

    Outsmart, Outplay, Outlast

    Outsmarting them can be a pyretic win. Outplaying? You can try but I wouldn’t. But what if you keep going. Then the win is not a win but sort of an eventuality. Awesome, I know.

    You can’t teach a pig to sing. It frustrates you and annoys the pig. That’s a Southernism from my inlaws. There are some people you just can’t reach, no matter what you do. That’s where the remark of “I’m sorry you feel that way.” comes from. When I say that, I’m not giving up, I’m accepting futility.

    And yet. You know that saying? The one about serenity and accepting what we cannot change? I hate it. I don’t believe there’s a single thing we cannot change, just perhaps not as quickly as we’d like. Accepting futility means I accept that there is no way I can, right now, explain myself well enough to change a mind. Yet.

    It’s not about being smarter than someone else, it’s about being smarter than yourself

    If you can convince yourself not to be stupid, you will protect yourself from just about everything. Outsmarting yourself is hard, though. You want to believe that you’re right. You have to remember that there is always someone smarter than you, somewhere. And no one is stupider than past you. That’s why we leave ourselves notes in documentation. To make sure future you remembers. Not being stupid means not picking fights. It means recognizing when you’re wrong.

    The secret behind outplaying is you’re outplaying your own tendencies and habits. You know yourself. You know when you snap off a reply you shouldn’t, or when your humor is more biting than it should be. You have to play yourself and not do those things. Fool yourself and you’re the fool, but play to your strengths and you can keep yourself humble while preventing your inclination to be stupid.

    If you outlive everyone, then you get to write the history. That takes a lot, A LOT of patience. More than most of us have. And it requires being able to tell someone you’re sorry you can’t help them, or you’re sorry they feel that way, and you walk away. And you wait. And wait. And wait. The being quiet part is the hardest, because people like to fill silence, especially you. But you must wait to survive.

    Survival is not about the Fittest

    I could tell you how I survive. I could tell you to subtweet, to blog, to scream, to ride your bicycle until your lungs feel inadequate and your legs are on fire and your blood pounds so much, your Apple Watch wonders if you’re having a heart attack. I could tell you to talk to someone, a loved one or a professional, and maybe to try meditation. The Breathe app? Pretty nifty.

    Remember how I said everyone at a WordCamp wants to make WordPress better? And remember how I said you’re not code? I lied a little. You ARE code in that you, me, everybody is WordPress. And while I cannot tell you the right answer for you and how YOU can survive the storm and the hate that you will face, I can tell you that you are not alone. That you are one of us. And that WE are here too.

    As a team we are stronger. We can rely on each other. We can lean on each other. We can take our shared love of sports, or food, or a same birthday, and find connections with each other.

    What I Don’t Know…

    The one thing I cannot tell you is why people hate. I don’t understand it myself. I suspect I never will. But what I can tell you is that we are better together. The way to make it past the hate is together. I am strong, mentally, because I turn to my community, sometimes quietly and sometimes loudly, and ask for help. There’s no shame in that.

  • WordCamp LGBT Tribe is Code

    WordCamp LGBT Tribe is Code

    Last Friday we had the first ever LGBT+allies party at a WordCamp. It wasn’t really the first time we all got together, but it was the first time we stated to the world that this was what we were doing.

    How did it go?

    We sold out our 150 tickets. We ran out of shirts. We had an open bar and music and food (real food) and pins and stickers and a million little things. It was loud and a great many more people than I thought would show up did show up. Matt was there too.

    Tracy and I kvelled about it. We never expected that. We thought maybe a dozen, or fifty at most, would show up. We thought it would be mostly the queers, filtering in and out. We thought it would be more of a flow.

    What we got was a packed house. We had around 200 people who came in, queer and straight, to be there for each other and to support and hug and be there. What we got was a moment where our two tribes were there. Our nerdy WordPress people and our fabulously gay people, together, combined to remind everyone that the best part of us is the us.

    Community is what makes WordPress so amazing. I spoke about that on Friday as well, that individually we are not our products, our code, but together we are 27% of the Internet. Individually, we are not just gay, straight, queer, trans, or ace. Together, we are the LGBT+ tribe. Together we are the queers of WordPress. We are a huge slice of WordPress and we are not alone.

    I like to joke that WordPress makes queries for a reason, that WordPress is queer. And it really is. The last four years WordPress has gone from quietly supportive into publicly proud.

    Thank you, everyone, who sponsored and came to the party last week. You stood up and reminded us that we are not alone. And as much as 2016 sucked, we have each other’s backs.

    I don’t know how, but we will have to figure out how to do this next year at Nashville, because this was too amazing to do it as a one-off.

  • WordCamp US – LGBT+Allies Tribe Meetup

    WordCamp US – LGBT+Allies Tribe Meetup

    Thanks to the undying energy of Tracy Levesque and the dollars from many donators (including DreamHost), there will be an LGBT+Allies meetup on Friday night at WordCamp US. Yes, NEXT Friday. So if you don’t have plans, or if you just want some big gay friendly hang time, we’re inviting everyone to come hang out with diverse WordPressers at Philly’s most welcoming gay bar.

    You don’t have to be gay to come, but you have to be gay friendly.

    WordPress is welcoming to people of all cultures, beliefs, and sexualities. In celebration of our community, we decided to have an unofficial (non WordCamp sanctioned) meetup of the LGBT WordPressers and their straight allies. The celebration will be during WordCamp US at Stir Lounge, Philly’s most welcoming gay bar.

    We’ll have most of the place to ourselves with delicious food from The Khyber Pass Pub and an open bar.

    This event is made possible by our generous sponsors!

    YIKES, Inc.DreamHostWPEnginertCampCornershop CreativeAutomattic1SEO.com

    Bring your rainbow pins and your smiles.

    Personally, I think now, more than ever, it’s important to know where your tribe is and that we’ve got your back.

    You can get a ticket (for a whopping $0) at lgbtwp.ticketleap.com

    hero

  • The Perception of Approachability

    The Perception of Approachability

    I’m speaking at WordCamp US. Someone I don’t know pinged me and said they were happy to see I was speaking, and they’d be there from their country. I haven’t the foggiest idea who they were or why they were telling me this.

    A few years ago, at my first WordCamp San Francisco, someone followed me for a few city blocks. Or at least he tried to. I was going out and he followed me out of the area. I paused, we chatted a moment and as I tried to leave, he kept talking. This pattern repeated until I finally said “I need to go. Good bye.” He kept talking. I spotted a female WordCamper I knew and she immediately came up and told me my wife was on her phone and was mine broken? Not at all. We lied. But I went with it, checked, looked shocked that it didn’t light up, and said it must be dead. I took her phone and proceeded to start a fake conversation that my wife had locked herself out of the car, 3000 miles away.

    In 2015, I was at a WordCamp where someone was very much crowing up in my personal space to talk. I quickly stepped back and when he leaned in, held up my hand and asked for personal space. At another WordCamp later that year, a similar thing happened to a friend of mine. I saw she was agitated and wanted the conversation to end, so I walked up and smiled and said I’d been looking for her. I knew the man, I thanked him, apologized for interrupting, wished him a good day, and he nodded and walked off.

    These are pretty normal events in my life.

    It’s a common, regular occurrence for people like me.

    I talk to hundreds of strangers a day in my work. I email at least 30 people a day with notes about their code. I converse with customers, co-workers, and a lot of random people. I don’t know many of them. We are not friends, these random people and I. We are not besties. We are not people I hang out with on their couch and play rude games. But the perception is, since we’ve had some conversations, we’re somehow closer than normal.

    And yet all four of those people, all men by the way, seemed to assume a level of connection that I did not. They all immediately felt I was ‘one of them’ and monopolized my time, not taking the social cues of ‘no’ until it was stated, and even then I had to be forceful.

    Flip the tables.

    Have I ever felt this way about women? Actually yes. I’ve had women at WordCamps do the exact same thing. 2014 someone kept asking me question after question about being a Woman in WordPress, until I politely turned to another woman and pointed out she too wanted to talk to me. In every case with women, however, they get it when I try to redirect the conversation to ‘I need to leave’ or ‘this conversation should end now’ and they get it without rancor or offense.

    This happens outside WordPress too. It’s actually a great deal worse outside WordPress. But in many cases, people attribute a greater level of friendship to an online social connection than I seem to.

    Of course there are exceptions. Most of my greatest friends came from random internet connections. People who, literally, changed my life with a job recommendation, held me while I sobbed over a death, had a girly sleepover where we giggled until 1am when we totally shouldn’t have since we had to be up at 6am for volunteering, offered me a couch, schwarma, or even just a gentle “Hey, I’m here for you. Are you okay?” They too came from this online place.

    So what’s the difference?

    We’re more approachable online, certainly. We let our barriers down and we engage more because it’s (mostly) safer. We can talk about how we feel, we can sob, and no one sees us. We’re freer. And with this freedom and honesty comes a ‘connection’ that sometimes transforms into true and honest friendship, and sometimes doesn’t.

    But when we move the online relationship into a physical one, we worry. We worry if the person is who they presented themselves to be and we worry if we’re going to get hurt. Many women worry if we’re going to be physically hurt. And we can’t tell. We often have no way to figure this out until it’s too late.

    I don’t have a solution to this problem, but I can tell you this. When I meet new people, even at a WordCamp, and when strangers reach out and tell me they’re excited to meet me, I receive that with a little trepidation and caution. I text my wife to tell her where I am, who I’m with, and if I’m worried. This is unlikely to change any time soon, and has nothing to do with the US political climate. What it has to do with is the understanding of what exactly makes up our connection.

    Comments on this post have been disabled.

  • Clear Communication

    Clear Communication

    “Your guidelines should be so clear as to not permit so much wriggle room,” he said.

    I started at my screen for a moment, feeling my neck heat up with the sheer arrogance of his implication. Besides the fact that I did spend quite a bit of time trying to make them as transparent and clear as possible, it’s a known impossibility.

    Anyone who’s ever written anything knows that it will always be interpreted by someone in an unintended way. Have a look at the US Constitution, which we’re still arguing about to this day. It’s categorically impossible to write anything in a way that will be perfectly understood by everyone who reads it, past, present, or future.

    Let’s step back though and think about what the post of such a statement might be.

    Everything we write for the purposes of education should be as clear as possible, in order to minimize confusion. We can all agree on that. Guidelines, documentation, how-tos, and the like are all for education. When you write a story, a novel for example, you don’t need to write for clarity but for a different purpose. I won’t get into that today.

    To that end, his statement was correct. We should write our guidelines not to permit wriggle room.

    However when we consider what the guidelines were, and please note they are indeed guidelines and rules, we hit a different situation. Guidelines are meant to direct people into doing what is expected of them. Some can be as clear as “Don’t steal” but others have to be a little more broad like “Don’t hurt people intentionally.” That’s a very big statement, and while it’s certainly a good guideline for any group, enforcing it without specific examples is always going to be problematic.

    The difference between rules and guidelines is that rules can be clear, while guidelines must allow for interpretation. And even with rules, it’s categorically impossible to write them in a way that will never ever be misconstrued.

    So what do we do?

    We write things as clearly as possible. We state, upfront, that the guidelines have an intended purpose and what that is. We remind people that the guidelines cannot cover each and every possible permutation of events. We admit that some of these will be up to the discretion of the people enforcing them. We write a disclaimer that we are human and we are mortal.

    We do our best. And if someone says “These could be better” we ask “How? Please help.”

    I can tell you from experience, less than 1% of people who complain about your guidelines will help, though.

    Comments on this post have been disabled.