Inversion

imagei awoke one morning and walked out of a steel cylinder to a world that at first glance was similar to my own,  but it was not. exploration revealed this world to be different in small details previously unnoticed. the  vermilion hills greeted me like a lover’s arms,  but the wood of a fence post was of a kind I had not seen.

there were people but we could not communicate. the animals were odd too. there were cows but they had humps. there were owls but they burrowed. and the road was covered with unfamiliar tracks.  even the night sky was different.

so i looked up and marveled at the beauty of it, and that i too would soon be different from living in this different world.

“Common Core” Math (new math): a refutation of one of the lamer attack memes

the offending meme.
the offending meme.

A week or two back, an acquaintance of mine put a meme up on their facebook page attacking “common core*”math. I tried to bring wisdom to the situation, and some people listened. Since a lie can spread around the world in the time it takes the truth to put on its shoes, I thought I’d write a full refutation of this nasty piece of work, complete with pictures.

I explained why what the teacher wrote on the paper was correct, but I used too many words doing so and some people tuned me out. So it might be easier with pictures.

 

Instead of thinking of them as abstract numbers, think of them as sets. Think of a set of 8 dots and a set of 5 dots.
Instead of thinking of them as abstract numbers, think of them as sets. Think of a set of 8 dots and a set of 5 dots.

 

The critical issue here is that while you are adding 5 to 8, you don’t have to add the five circles all at once. You can add two circles first:

refutation2

That gives you ten. As the instructor said, “Yes you can.” You then add the remaining circles to get a single group of 13 circles. But 10 circles (with 3 remaining) is a completely legitimate interim step when adding a set of 5 circles to a set of 8 circles.

refutation3

There.  8 + 5 = 13.  You just don’t have to do it all at once. The idea of being able to not do addition or subtraction all at once, to shift values for your own convenience,  becomes really important in any form of math from Algebra up.

If this seems simple, it’s because it is. This isn’t about common core, it’s something called the “new math.” Essentially it has to do with teaching kids to understand what they are doing instead of just memorizing stuff. It’s been around a fairly long time.

It shouldn’t be controversial at this point. I don’t want to go into the possible motivations of the people who are attacking this.  I will say that posting a meme like this reveals one’s ignorance.

There is no shame in being ignorant. It simply means that you don’t know. If you realize that you don’t know and seek knowledge on a subject, you will no longer be ignorant. This process is something we all must do, as no one can know everything about every subject. There is no shame in admitting one has been wrong: it’s a necessary precursor to being right.

* In reality, this has nothing to do with common core. I have teacher friends: some of them have had issues with common core but it doesn’t have to do with curriculum: it has to do with the implementation time table , and with the standardized testing taking away from time teaching the kids. I apologize to teachers out there if that’s an over simplification. But this dumb meme has nothing to do with common core: it is reactionaries attacking what they don’t understand instead of trying to understand it.

Hack Attack 2014!

Screen Shot 2014 12 03 at 11 14 07 AM

So, per a previous blog post on security, this is why you don’t use an obvious username. If you look at the number of emails in my inbox, there are 316. There were actually over 400. The night before, there were 18. Each email represents 4 attempts to force break one of the sites I host so that’s around 1600 attempts to guess the password.

The site in question has a math captcha, so this really shouldn’t be happening at all. I guess someone found a way to nullify the WordPress math captcha I paid $8 for: these things happen. On the other hand: basic security does the trick here. The username they are trying to hack is the wrong one. They are basing it off of the URL: the username they are trying is the URL…

It seems they have the wrong username. I'm not going to give them any help figuring it out!
It seems they have the wrong username. I’m not going to give them any help figuring it out!

Guess what, that’s not the actual user name! So even if they somehow stumbled across the right password, they would have to have the right username and, in this case:

1. It has nothing to do with the name of the site.

2. It’s not admin, administrator, webmaster, or any conventional user name.

So- they won’t be able to hack the site this way no matter how hard they try. To summarize, use basic security precautions: nonstandard username, strong password, and set profile so name of avatar on posts is not the same as the username. On a multi-user site, give each user only the access privileges they actually need and no more. Do these things, and all will be well even if people try to hack you (as they did here)

It was a pain to delete the 400 email notifications- but that’s part of the trade I guess, and why people get paid money to host! Other people anyway- the clients still haven’t paid. That’s ok though- I altered the site to reflect that and it makes me feel better!

 

Why a copy and pasted legal notice will not invalidate Facebook’s terms of service

Why is the grass green? Why is the sky blue? Why are we unwilling to take the  time to determine what is true?
Why is the grass green? Why is the sky blue? Why are we unwilling to take the time to determine what is true?

 

Today, on December 2, 2014, I went and actually read Facebook’s terms of service after seeing a zillion people post privacy notices which various debunking sites, including but not limited to Snopes, say are a scam and useless.

I realized that under these terms anyone who uses Facebook gives them a royalty-free transferable worldwide license to their uploaded original content. That sounds bad, except that without that clause, it would be illegal for FB to allow other people to share your posts, or even read them. This license also ends when you delete your Facebook account or delete any given post from Facebook.

That makes such a license a reasonable, necessary, and good thing, good because without it Facebook could not exist. In order to even view someone else’s status post, you are downloading a copy of something they created. They are sending  a copy of what they wrote to Facebook, which stores a digital copy, and then when you log in they send the copy to you, which you download to your computer than open in order to see it. This is perhaps oversimplified, but in terms of copyright law that is what is happening.

Obviously, that’s not legal unless the people using Facebook agree to terms that allow this. Which they do.

Screenshot

Except I guess they don’t because they are posting stuff like this. But they keep using Facebook so their actions make their words meaningless.

Copying and pasting a legal notice originally written by someone else does not negate the terms  of service you prove you agree to by continuing to use Facebook.

If you don’t trust Facebook to not use your content for advertising or sell it, that may or may not be a legitimate concern, but expecting a status post to change that while continuing to allow them to control your data is ridiculous.

The privacy notice is a talisman. People put on the necklace of copyright law and then go back to posting photos and updating their status and think they’re protected. It’s like garlic and vampires: both the effectiveness of the step and the reality of the threat are doubtful.

The real way around it is to not put content you care about on Facebook’s servers. Put it up on your own site, or using another service who you trust, and then link to the content on FB. Or stop using Facebook.

Or, you can just get over it. Sharing something you created requires a level of trust and a relinquishing of control.  Books can be copied. Music can be stolen. Paintings can be photographed. This was true even before the internet existed.

But with the internet, you can share your work with more people, easier. If you have something you want to share with the world, this is a good thing. If you want to completely control your work, this is not, but there’s a solution: keep it to yourself and don’t let anyone else see it, ever.

What to do when a client doesn’t pay

picture of triangle
A non paying client ain’t nothin’ but a triangle… they have the smallest amount of points possible, the least of the least when it comes to polygons. Depicted here is an equilateral: at least they have equal sides, even if they don’t pay.

This article isn’t idle speculation. So far I have had one web design client who has not paid. It was a simple but functional WordPress site with a store. I’ve been paid negative money for my work after 3 months.

I do have a partner who is acting as a go between: and that might be part of the problem as I am not negotiating with this particular client directly. However, the dilemma still exists. I have work for which I haven’t been paid after 3 months, and yet I’m still hosting the site, something which costs me money. There are several lessons to be learned already: one is not to shell out money for materials upfront. The other is to collect in draws, and to have a written contract for scope of work. I played loose in this field because costs are so low for everything. And this experience will change how I operate in the future for sure. But I still have to decide what to do with a client who probably is not going to pay.

1. I could leave the site up as is.

I do not want to do this. Even though there are no ongoing expenses associated with this. I do not want to continue to provide a service for people who are deadbeats who don’t pay when I have the option not to.

2. I could add advertising to the site and leave it up.

This is the least emotionally satisfying solution but it’s a possibility. If they won’t pay I at least will be receiving something from it while I’m waiting for the partner to try and get money out of them. It’s also the nicest. On the other hand, I’m still providing free hosting to someone who gypped me.

square
The square has more points, more sides, and  its angles are not only even, but are right angles. Squares are solid. The square thing to do is to pay what you owe.

3. I could take the site down.

This is an ok option. It will make me feel better. And it will also make the client answer the question of “Will you pay?” immediately instead of months later (in my head, I don’t think they will pay). Which I want.

4. I could change the A records (I own the domains) to redirect the domain for their site to a site of my choosing.

This is a little less mature, and kind of shady, but it’s probably what I’m going to actually do. It accomplishes the same thing as #3, ie taking the site down and forcing them to negotiate if they want it to go back up. If this were a paying customer, it would be completely dishonest. Since they haven’t paid, I am ok doing this. Especially as I plan to redirect them to this article. If they decide to pay (the amounts of money involved here are not large for a company of this size, they can afford it) the site goes back up. If not: well, I get a little extra traffic until the domains expire or I sell them. I go back and forth. But I’m definitely going to take action soon, and will post again if something comes from it.

A basic primer on security for WordPress, update on current projects

So, this little experiment is still going fairly well. So far, there’s another wordpress site that went up, here. It’s a musician site for Nashville-based songwriter Lisa Carver. Very basic, using the WordPress spun theme. The design might shift with feedback from the client. I’m reminded thought that even the best design is useless unless there is content and the site is maintained. There’s a section for upcoming shows, but unless information on the upcoming shows is actually in there, there’s no point in even having it. Maintaining a website on even a basic level is work. It’s not much work, but it does take a little bit of doing.

Which is why I’d like to continue the adventure by talking about WordPress security. My friend Greg taught me most of what I know about coding when I took a free class he taught (information about that here if you are interested in learning some about basic PHP, HTML, mySQL, and C#) He also taught some about basic WordPress security. I followed at least some of it, and it definitely helped. Most of it is common sense, but it’s crazy how often it is disregarded. And it’s come into play already, as people already have tried to hack this site many times.

A friend of mine told me that WordPress had a bad rap for security. From what I’ve seen so far, that’s basically undeserved, but: I can see how if you didn’t take basic precautions during the install, you could leave yourself open. For example, during the installation of WordPress, it has a checkbox for “limit login attempts.” This means that if someone has a program or script that will repeatedly try to log in using different passwords, after a certain number of tries (I think the default is 8) they will lock them out for 20 minutes. If this happens 4 times from the same IP they’ll lock them out for a day.

So if someone who doesn’t know what they are doing unchecks that box, the site is wide open to this kind of hacking. But the box is checked by default. When I tightened up the security on this site, I reduced the number of failed login attempts to 4, and put a 24 hour lockout after I think 2 times. You can do that. And people still try to hack the site.

This person attempted to hack the "admin" username. Which doesn't actually exist!
This person attempted to hack the “admin” username. Which doesn’t actually exist!

See the image. This has been happening a lot. There’s something you can do to eliminate that completely, which I will talk about later, but there’s something else I’d like to mention.

If the “Limit Login Attempts” plugin is active, you’ll get a notification email like the one above every time someone tries to hack you. There’s some actions you can take. For one, you can go into cPanel (what I used to install WordPress) and block the IP- the problem with that is hackers usually aren’t trying to hack from their own IP- they’re doing it through another computer they’ve already compromised. So that won’t actually stop it. I’d like to point out though the username they are trying to hack: admin.

My administrate username is not admin. You should never never never use “admin” as a username. The username/password combination is what keeps your site safe, if you use “admin” you’re giving them half the battle. By trying to hack “admin” they’re targeting people who aren’t taking basic precautions. Don’t be that person.

The other username I’ve seen them try to hack is “akeythatshouldnotbeused.” Again, a good guess, it’s the name of the site, and also the author name on the posts. However, WordPress allows you to set it so that the name of the author displayed on the posts is different from the username of that author. Do this! If you do that, hackers will have nothing visible to indicate what your username might be and will be starting from zero.

Third thing is to use a strong password. Pretty basic, and WordPress forces you to use a password of a certain strength, but here’s a basic rule of thumb. Don’t use your name or birthday. Use at least 10 characters. Use letters and numbers with at least one capital letter, at least one symbol, and at least one special character. Also, WordPress allows spaces (something a lot of passwords don’t) so I’d do that to.

So, for example, here’s a weak username password combination for a person named Jane Doe. Let’s say she’s 34:

username: admin
password: password

(don’t EVER use “password as a password. that’s the first thing they try)

let’s say jane has a boxer named Prometheus. this would be a pretty decent username/password combo

username: janedoe
password: prometheusthedog
or this would be even better:
username: prometheusthedog
password: 0891EnajEod!

In this case, her password is her birth year backwords, her name backwords with the last letter capitalized, and an exclamation point, and her username is not her name (in case she’s being hacked by someone who knows who she is. That’s pretty strong, and would be very easy to remember, and very hard to guess even by someone who knew her very well. If you changed the order of the birth year and her name and used some other character than an exclamation point or substituted a number for letters of her name or used spaces, it would be nearly impossible to guess that kind of password even by someone who read this article and knew it was created using that method. Finally, here’s an alternative, very unorthodox philosophy for passwords that is also strong:

username: prometheus
password: I Am Jane Doe And I Am Awesome!

This is a sentence, very easily rememberable to Jane. Note a few things though, all of which make it harder for a script to hack: 1. The length.  2. The presence of capital letters. 3. The presence of spaces. 4. Special characters.

If you have login attempts limited and are using a strong password, your odds of being hacked in this way are almost nil. They drop even more if you use a Captcha. BWS sells a math Captcha for I think about ten bucks. I am not using it on this site yet, but I use it on all my clients sites, and it eliminates this kind of attempt completely. Eventually someone will write a program that sidesteps that, but it seems to work good for now.

So to recap, here’s the basic WordPress security steps:

On install:

1. Make sure “limit login attempts” box remains checked.

2. Use a username other than “admin” that is not your own name.

3. Use a strong password.

4. Change the name of the database to something other than the default (I didn’t talk about this, but it’s the same deal. If you use a naming convention other than the default it makes it harder to hack)

5. Change your author profile so the publically shown name is different from the username.

6. Shell out ten bucks for a Captcha.

That’s it. Do that and your site will be pretty darn secure.

Welcome, a note on current projects (WordPress-a site that should not be moved)

So, this is the first post under this name on the new site- a site that I am hosting on server space I have real control over. It’s been an interesting transition. This blog and concept used to be at this site, on WordPress.com

I decided that I needed a hosting package in order to continue to be able to experiment with PHP,  to be able to do Wordpress sites that could be more easily modified, etc… there was initially a pretty steep learning curve in terms of DNS entries, etc, and there was a certain cash investment in a hosting package.

However, the moment I did this I started to pick up paying work, and the money sunk has already been recouped. Right now I’m hosting four sites, two of which are paid for.  All of them are WordPress sites.

I’ve made lots of mistakes, including what could have been a really embarassing failure.

He who installs WordPress in a directory different from that in which it will ultimately reside courts disaster, and rubs buttocks with the whirlwind- Peter Dickson

It’s not easy to move a WordPress install. I put it in a temporary location, and then bought the domain after and tried to switch it by adding that domain to an existing subdomain and cPanel wouldn’t do it. I backed up everything in public html, deleted the subdomain, and put it back up with the add on domain point to the original public html folder associated with the subdomain. At this point, I could direct people to the site using the correct URL but once you navigated away from the home page the page titles and the tabs in browser reflected the old names and not the new. I now know this was because of internal links in the database.

I then thought I’d uninstall WordPress and then put it back up with FTP (not sure why I thought that was a good idea) and of course this DELETED THE DATABASE and when the site was back up nothing worked. I stayed up all night redoing the site from scratch. Fortunately it was small enough that this was doable, and the end product was actually better than before.

It’s a very amateur mistake, and a really stupid one that I WILL NOT MAKE AGAIN EVER.

I now know there are scripts, you can do search and replace on certain tables of the database, or more important you can spend $11 on the domain you/the client actually wants and get it set up first so you don’t have to move a WordPress site unnecessarily.

And of course if I ever do have to do this again, I will back up the database and go slower, but hopefully I don’t have to do this for quite a while, or ever maybe. The site is up now, it is beautiful. Not perfect, but pretty good for a simple ecommerce site, especially if you want a chicken plucker that is under $50, fits into a standard drill, and is American-made.

Anyway, it’s been a trip and I am tired now. But if you’re here: welcome! I hope you find something here that interests you!