Half-Elf on Tech

Thoughts From a Professional Lesbian

Tag: security

  • Software Death Isn’t New

    Software Death Isn’t New

    The answer, Jeff, is yes. But they’re weird and hard to find.

    Back around 2008 or so, my father published a paper on the death of Lisa Norris.

    Don’t know who she is? Don’t worry. Most people don’t. Norris died of radiation overexposure that was determined to be caused by a software issue. People hadn’t fully tested software changes. I only know who she is because I maintain my father’s website and converted all his PDF articles to posts. In doing so, I read them all.

    I’m not a mathematician like my father, and luckily he and I share a fantastic trait. We’re both used to explaining technical things to non-technical people. Or rather, we can explain the technical things to people who are cleverly technical in other arenas. Yes, that’s where I learned it.

    When I saw Jeff’s tweet, I asked if he was serious (as opposed to just ruminating on Twitter) and then directed him to two of my father’s articles. First I pulled up the one about Lisa Norris, since that stuck in my memory. But then I remembered he’d written an article for the Nikkei Asian Review that was more non-mathematician readable. Knowing that he’s written the first paper gives a little more credence to the statements he makes when he talks about Death by Software.

    The part that has always stuck in my mind is this quote:

    As Dr. Nancy Leveson wrote in her Therac-25 investigation report: “Most accidents are system accidents; that is, they stem from complex interactions between various components and activities. To attribute a single cause to an accident is usually a serious mistake. We want to emphasize the complex nature of accidents and the need to investigate all aspects of system development and operation to understand what has happened and to prevent future accidents.”

    When we talk about how software can (and will continue to) kill people, we get stymied by the considerably complexity of the question. Did Lisa Norris die because no human thought “This looks weird?” That is also why it’s hard to say “Give me the statistics on all people who died because of software failure.” We have to define what, specifically, is a software failure.

    In the book (and the movies) “Fail-Safe,” we face nuclear war because a light burns out causing a false-positive alert resulting in American bombers heading to the USSR. It’s very similar to the boom “Red Alert” (and of course the movie “Dr. Stranglove”). The failure is that our fail-safe measures, the steps we take to make sure that a machine (or computer) cannot make the situation worse is nothing more than a pipe dream.

    At its crux, the deaths by software are often the result of failure of imagination. I first learned of the phrase when reading about the Apollo 1 fire back in 1967. Astronaut Frank Borman spoke at the post-mortem hearings of how the deaths, the fire was born from our failure to imagine how things could go wrong.

    Why don’t we have statistics? We would have to be very specific in what we ask for. How many people have died because their GPS was wrong? How many people died because the software to handle Anti-Lock Brakes failed? We do not lump all software failures together, making the research mystifying and bewildering. This is not meant as an excuse, though even to me it feels like one. We should be more transparent in how our software kills.

    And rest assured. Software kills.

  • Mailbag: Self-Signed SSL

    Mailbag: Self-Signed SSL

    This was actually a tweet, not an email, and I’ll get to it later on in the post.

    Essentially, a weird thing happened.

    I’ve been setting up SSL for admin’ing my sites (because you should) and using a mix of Comodo SSL via Namecheap and StartSSL depending on the domain. But I also set up some Self-Signed SSL certs for other domains. In particular, this one.

    Now. SSL certificates provide encryption between the two ends using the certificate. That’s all. They’ve never been able to verify who the two ends are, and all a paid-cert does is say “And I paid these guys to prove who I am” so now you’re ‘trusting’ three people. Maybe. The point is that there’s nothing wrong with a self-signed SSL certificate in specific situations.

    If you’re messing with money or personal identification, you need to use a signed certificate. This isn’t even an option. But halfelf.org doesn’t do that and I really just wanted an SSL cert for a secure connection to my wp-admin dashboard. No big, right? So I did that, posted a new article the next day, and my buddy Mike said:

    hey there, clicking on the article title from the email notification tries to force https:// and throws privacy error warning

    What the what?

    For some reason, the setup I had that works perfectly fine, no errors on ipstenu.org wasn’t working on halfelf.org, and the only difference was that self-signed certificate. Apparently the emails sent by Jetpack grabbed the https URL and while the server was set to redirect to http, users still got that moment of “Hey, this isn’t a real certificate.”

    I know that a self-signed certificate means there’s no chain of trust, but it’s quite annoying that Google Chrome and other browsers flip out when you’ve done it. If it was just a warning “Hey, this site is secure but we can’t verify it…” that would be one thing. But what Chrome does is slap up a big fat warning and stop users, making it a double click through to get to the page, which forces them back to http anyway. Visitors may not trust my site to be safe, but frankly, that site wasn’t really meant to be ‘safe’ anyway. It’s safe on the back end for me. Not you.

    It’s a complicated mess, and I can’t wait for Let’s Encrypt to take off. I’ll be installing that on my server ASAFP because the ability to self-sign without making browsers flip out.

    To fix it for now, I turned off SSL over admin (which literally was all I’d done for WP) and picked up a legit certificate. But it’s rather stupid that the email sent from Jetpack decided it was meant to be https when it wasn’t, and that my site that forced http over https for non-logged in users wasn’t ‘enough to convince the browser they were in the wrong place.

  • CloudFlare’s SSL

    CloudFlare’s SSL

    CloudFlare’s been pushing SSL for a while as a new feature. We all know that SSL is a great idea, that any time you have someone logging in, it should be secure. If you’re handling money, it should be secure. If you’re taking any personal information, for god’s sack (sic), make it secure!

    A major problem with this has often been the cost overhead. You can self-sign your certificates, but that pops up with other errors for people. Really what we want is a simple, non-super-expensive, way to have security where and when we need it. Until Let’s Encrypt gets its kick off later this year (and probably for another year after that), it’s complicated and expensive to set up shared hosts with certificates, even if you use SNI.

    Enter CloudFlare and their bold proclamation that they’re going to provide free One-Click SSL for everyone, even their free-plan users. This is great! Except that it doesn’t work quite right.

    First off, if you use the flexible SSL plan, the one that doesn’t change your URL to HTTPS, then you need to use a plugin line CloudFlare Flexible SSL. Or you can just toss this into your wp-config.php:

    #SSL
if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] == 'https') {
	$_SERVER['HTTPS']='on';
} else {
	$_SERVER['HTTPS'] = false;
}

    Secondly, if you’re not actually changing the URL to SSL, you’ve got a problem. I don’t want my users to hit https all the time, not for all my sites. And all the reasons we don’t use https everywhere aside, it’s something to keep my running costs down.

    My rule is that SSL should be used anywhere where you are transmitting information that should not be public, and this suddenly was an issue when I looked at the levels of security. The one I’d want would be Full SSL, as it “Encrypts the connection between your site visitors and CloudFlare, and from CloudFlare to your server.”

    And there are two types of Full SSL, one of which is ‘Strict’ and requires you to have your own SSL cert, be it purchased or self-signed.

    CloudFlare SSL for everything? Not exactly: Full SSL (strict) is too strict.

    The obvious implications here, however, are that everyone would see HTTPS in the URL, and I don’t really want that. Of course, that’s not what they meant. What they mean is that IF you use https in the domain, then CloudFlare double encrypts. Otherwise it remains http for the domain.

    So basically normal SSL. And this is what I want, because I do have a purchased SSL cert for the domain in question and I do want to be secure all down the line. If I was using a self-signed certificate, I’d use the Full SSL (not strict) and that would work as well.

    One important thing to keep in mind is that if you chose to use the Flexible SSL, you’re not giving yourself login protection! As they point out, this gives you an encrypted connection between your site visitors and CloudFlare, but not from CloudFlare to your server. This greatly reduces the possibility of being sniped or sniffed, but the content from CF to use isn’t secured, which means if you use Flexible SSL for your store, you’re a moron.

    With that in mind, what good is it? Well you can be promised security throughput for your domain, and that, if you’re using CloudFlare, is a great thing.

  • I’m Fine With Envato

    I’m Fine With Envato

    I just don’t use ThemeForest.

    Look. I think Envato is actually pretty awesome. They’ve made a way to help people monetize development within WordPress. I’m all about that! I want to see people making a living from WordPress and I want people to be able to succeed and make WordPress even better. A number of people I know who are currently successfully running their own WordPress related business got started over there.

    So why don’t I use their products? I haven’t had a need to. I don’t use WooCommerce either, or their themes. There’s nothing wrong with that. But there is a ‘problem’ with Envato, or rather there’s one with ThemeForest, and it’s the same problem as we have on the WordPress.org plugin repository.

    The last (and possibly only) time I mentioned them, I said I had an issue with their lack of upgradability. If I buy a theme or a plugin, I can’t easily get updates. I’m stuck on the old way of download when I get an email. There’s no way to do it easily from inside my dashboard. This is a problem of our own creation. Ten years ago, that was normal. Today, we have a reasonable expectation to easily upgrade WordPress, it’s themes and plugins.

    I happen to know Envato’s working on it, so I still look forward to their solution.

    But they have the exact same problem as we have with the WordPress.org plugin repository: crap code.

    You see, there’s only no practical difference between the WPORG repository and ThemeForest and how it handles reviews except they actually may be checking on every upgrade. If you didn’t know, ThemeForest does review things. But they do it exactly like we do! They read the code, they test it, they look for evil things, and they approve or not.

    Theme review on WPORG is a tighter ship than plugin, for a few reasons, but frankly I doubt the overall quality of code on WPORG (plugins) or ThemeForest is all that different. We’ve had some pretty insane vulnerabilities in plugins, after all, and the WPORG repository doesn’t have a great way of dealing with them. But to say that you don’t trust ThemeForest because the code quality is bad while simultaneously using any free plugin from ORG is naive at best.

    The constant problem we have with plugins, and one they have with ThemeForest themes, is that we allow a lot of different types of code. In being liberal like we are, we can allow for a lot more creativity and expression and, well, art. The downside is that there’s a practical limit to what a human being will be able to catch. We’re like the TSA. We try, but we’re fighting a loosing battle and that’s why we’re always going to miss things and we’re always going to be running behind and cleaning up.

    And worse they have the same problem with any code they yank. How do you upgrade everyone? When is it right and safe? When is it an overstep? Weighing security risks with information with compatibility is complex. For the WordPress.org repository, we have a long way to go before we’ll be able to push minor security updates like core can… at least not without a lot of fear and consideration. We’re on the road there, though, so one day you may wake up to a plugin magically secured on your site.

    Oh and as a reminder? If you see a WordPress.org plugin hosted that is insecure or doing evil things, email plugins@wordpress.org with the plugin URL and all the possible information about how it’s insecure. If you know how to hack it, please tell us exactly what you did. You make it faster for us to sort things out.

    For Envato, you can report these things via their Helpful Hacker program.

  • Stop Using Copy Protection

    Stop Using Copy Protection

    I’ve seen a million features out there to ‘prevent people from stealing your content.’ The idea is that by preventing people from (easily) copying your work, you stop them from stealing it and profiting off your efforts. You may even think that you’re saving your images from being stolen. In general, they use javascript to prevent things like right-click, view source, copying text, and disabling keyboard short cuts. In general, they suck and here’s why.

    User Experience

    Anyone who uses a screenreader or an alternative mouse tool now, officially, hates you. You’ve made your site look like absolute crap. Some screen readers can no longer read your content at all. Also not everything handles javascript very well (which is by far the ‘most popular’ way to block out content) and that makes for a pretty lousy experience for your visitors.

    Support

    If you have a problem with your website and ask the world at large for help, they will take one look and hate you. No one can easily help you with your CSS or your layouts or your design now, because you’re protecting content. When customers ask for help, the first thing I do is turn those plugins off so I can use my normal debugging methods and not worry about cruft interference.

    It Doesn’t Work

    If you disable right-click, you make it harder for me to bring up Chrome’s dev tools, but not impossible. You can’t make it impossible. This is, in part, because there are so many different browsers to account for, but also because developers really don’t want you to be able to kill dev tools. We need them to fix the web, and if I were to leave the dev tools open and then visit your site I would be able to have it open on your site.

    Once I have dev tools open, I can view the resources loaded by your page. Take Instagram, who doesn’t let you right-click on an image to download. I can instead right-click, chose ‘Inspect Element’ and I get this:

    element.style {
    background-image: url(http://photos-g.ak.instagram.com/hphotos-ak-xaf1/t51.2885-11/10912600_6619567248918_1818171895_n.jpg);
}

    Guess what I can do now? Load that URL in another window, download, done. If that’s not available, I’ll go over to the Resources tab, open up the Instagram folder, then Images, and find the image I want. Again, done.

    There’s Only One Way

    There is but one foolproof way to prevent your content from being stolen: Don’t publish it.

    But of course no one wants to hear that. So what’s the other way? Well give up on not having your words stolen. Even if you make it difficult, people will get at it. People type up books and scripts today, they’ll do it for your website if they’re properly motivated. Images, on the other hand, are a different issue. If you’re a photographer, don’t put your full-sized images online unless you’re selling them. And if you are selling photographs, put them on a cloud host like Amazon. Large files and PHP aren’t the best of friends anyway. Your website, unless it’s a store, doesn’t need the 10meg image file.

    As much as it pains me to say it, DRM is also a solution. So is watermarking your images. The way people like Getty protect their images is to lock it down to purchased users only. You can (fairly easily) download the smaller, sample images, but the awesome big ones are locked down.

    But that’s how you protect your content. Not with those plugins.

  • MailBag: Why Do You Do It?

    MailBag: Why Do You Do It?

    Zaman dropped me a year end note. He’s been asking people, interviewing them, for a site, and had three questions about why I do what I do (and a little bit of how). It deserved a public reply.

    1.You have been actively volunteering at WordPress support forum and with your solutions individuals and companies save big chunk of money. Your family and Job at DreamHost are your top priorities. Then your priority becomes the website you run (halfelf.org). You still manage to take out couple of hours to hit WordPress forum. You mention in one of your blog that some people volunteer because they enjoy it and some do it to master skills. What drives you to volunteer at WordPress?

    What drives me to volunteer at WordPress is little more than a bit of technical socialism. I give back because I get back, and it seems only logical and fair and just to make the time to do these things. Admittedly, having my job actually be know WordPress’ ecosystem and keep a good relationship between WP and DreamHost makes this far easier for me than most. But at the same time, I was doing this before it was my job. And I did it because I could.

    I have a hard time explaining the need to give back to people, because it’s something you either understand in your heart or you don’t. Call it a random act of kindness to the universe, I help with WordPress because I can, because I enjoy it, and because it makes me feel good to do it. I won’t deny I get awesome emotional props from doing it, a feeling of absolute satisfaction and pleasure knowing I can help people, but it’s really just that. I like doing it. I make the time for it.

    2.Your insights on halfelf.org are remarkable and the blog “whose responsibility is it” in particular draws my attention. You convey it is the business owner responsibility and not the WordPress core or Webhosting Company to perform due diligence before they install plugin’s. You also call out there is a need for more security experts. Is there a shortage of wordpress security experts in general or in wordpress public support forum?

    Do I think there’s a shortage of WP security experts? No, I think there’s a shortage of security experts in general. I think the masses of people would rather do awesome and create awesome than study security and delve into things. The fact that I can think of a hundred ways to socially engineer going to see a movie for free without breaking a sweat, the fact that someone like Frank Abagnale was able to pull off what he did underscores the issue.

    At our heart, humans want to trust. We want to believe people won’t screw with us. And when you factor in just how complex computers and code can be, of course we have faith that the people who write code are writing the best code to their ability and know what they’re doing. And we have faith that, when a bug or a security flaw is reported, people will fix it as fast as they can.

    WordPress complicates this, since there are so many plugins and themes out there that there isn’t a centralized place to reply a problem. Even if there was, there’s no way to enforce the bug is fixed, and there’s no way to be certain everyone will upgrade. Just look at the nightmare from the RevSlider situation. Once you add in the world of non wordpress.org hosted code, it’s impossible to maintain any control.

    If more developers were security conscious this might be less of the case, but it’s a problem in Open Source. The Heartbleed vulnerability is a prime example of that. One change, missed by many. It’s not just WordPress, it’s how we develop in Open Source. The speed of our work makes issues like this sadly more common and possible. So we need more people who love hacking into things and breaking them and then responsibly passing on fixes to make things more secure. I do feel that Github and sites like it are actually a great step forward. I can file a pull request with a fix and pass on the help in that way.

    This does require hobbyists to step up and be a bit more of a true developer, but they have the most to gain from it in the end.

    3. Examining and reviewing the plugin software may not be possible for small businesses. Do you have a list of plugins that should be avoided or a checklist that should be considered before installing the plugins? I am not asking if you to list here. May be an article in halfelf.org will be very useful for WordPress community.

    I don’t have a list. I can’t have a list. It’s impossible, given the rapidity with which plugins are updated, fixed, released, and closed. It’s just not feasible. I tried, at DreamHost, to keep tabs on plugins like that for about a week. Then I gave up. It would be a full time job.

    And I disagree it may not be possible for a small business to have an audit done on their plugins and themes. They can hire someone. It would be expensive, certainly, but frankly I find the alternative untenable. If you had a physical store, you’d pay to have a security audit once in a while, if only by your security company. This too is a part of running a business. Period. You just can’t dismiss it as ‘not possible’ when it’s your career on the line. Complicated, expensive, and annoying I will grant you. But you have to do it. Even if it’s just once a year, you’re a step or ten ahead from where you were before.

    I’ll say this, however. I would expect someone like Pippin over on Easy Digital Downloads to be reviewing all add-ons he lists on his site. Anything he sells, certainly, but also this big list of free add-ons should be checked for basic security before being listed. In this way, a small company can know they’re reasonably secure with that suite of plugins.

    Are there plugins that should be avoided? Sure. I suggest you avoid anyone you can’t figure out how to contact in case of a security issue, anyone who encrypts their code so you can’t read it, and anyone whom, when you do contact them, blow you off.