2012 was a year for hard lessons

One of the benefits of being employed in Internet-related industries for the past several years (currently for an online software company, previously as the digital media manager for a content firm) is that I work with lots of developers. They’re smart people, and they have a way of making the people around them smarter in terms of dos and don’ts on the Internet. One of the side effects of this is that over the past several years, I’ve become much more serious about online security. I make strong passwords. I don’t buy from companies online that aren’t reputable. I don’t authorize various apps without first vetting them. I don’t click on links in tweets or emails.

And yet, this year I’ve learned that even as someone who takes more caution than a lot of people in terms of online activities, what I’d been doing was not enough.

This summer, my WordPress website was hacked and as a consequence my hosting was suspended. Despite having a strong password and keeping my plugins up-to-date, my theme had a hole that I did not close quite quickly enough, and months later—way after I had performed the fix that I thought would work—this vulnerability came back to haunt me. I had to scrap my entire site and start over. I still haven’t put a real theme back in place, as you can see.

A couple months later, my Yahoo address book was compromised. More than likely this happened because an application I had authorized my Yahoo account with had been hacked, but there’s really no way to know for sure. Like I said, I don’t click on links in emails. (And I don’t use my Yahoo account for email, anyway. I use Gmail.)

Then, on Tuesday, I woke up to discover that my debit card number had been stolen and more than $200 had been charged to it. I immediately called my bank and had the card canceled, and they confirmed that it was just the card, not my actual checking account, that had been compromised. I know I’ll probably never find out how this happened, and it’s bugging the shit out of me. It could’ve been a card skimmer installed at the bank where I make my check deposits or cash withdrawals via ATM, though I rarely do this and I would hope the bank would inspect their machines regularly for these devices. It could’ve been a skimmer installed at any of the stores I use my debit card at: The grocery store, the gas station, the salon, etc. Hell, a rogue waiter could’ve copied my card when he or she took my debit card to the back to run it when I paid for a meal. I did do something stupid recently, though: I ordered food from Jimmy John’s on two occasions and paid with my debit card over the phone. I realize this is stupid. I had reservations about doing it. But it was pouring down rain, I was at work, and I was starving. Stupid is as stupid does, and I’ll sure as shit never do that again, even if it wasn’t the Jimmy John’s employee who stole my debit card number.

The thief racked up $150 in iTunes charges—11 individual transactions—but unfortunately I have no way of knowing what kind of music he or she bought. Nickelback, I’m sure. I do find some irony in someone stealing a debit card number to legally buy music instead of just torrenting it. Wouldn’t that have been easier? The thief also bought $50 in flowers (aw) and made a $20 transaction with some online merchant I’ve never heard of. It’s only identified as “gwa, Inc. dba,” which doesn’t turn up anything definitive in a Google search.

My bank assured me that they’ll refund me 100% of the charges, but unfortunately I have to wait for all of them to clear before I can file a fraud report. Then an investigator will be assigned to the case, and when he/she decides my fraud claim is valid, they’ll refund me the money. iTunes charges generally take 4-5 business days to clear, so it could very well be several weeks before I get my $200 back. I guess I should feel lucky it was only $200; the bank told me they blocked a $400 charge at BJs.com. Yeah, BJs. I checked it out. It’s not as sexy as it sounds.

So here’s where I am now: I’m running a tighter website ship, keeping all of my plugins up-to-date still but also paying attention to any security holes reported by WordPress and taking care of them immediately. If another one pops up and I think my site could have been compromised, I will immediately take it down and rebuild it from scratch. It’s probably good for me to get back into doing that, anyway, since I don’t do web development at work anymore.

I also started using 1Password as a way to keep track of my online identities while being able to use strong, randomized passwords for each individual account I have. If one website gets compromised, I just have to worry about changing that one account’s password. No more trying to remember where else I used the same username and password and having to change it, too.

While the only way to fully prevent credit card fraud is to never use a credit or debit card, I will never, ever provide my credit or debit card number over the phone. And when I go out to eat at a restaurant that requires taking my card out of my sight to pay, I’ll use a credit card instead of my debit card. At least that way, if the card is compromised it won’t be taking money right out of my checking account.

And for anyone else who has a website, uses online identities and pays for things using a card, I fully recommend beefing up your security, too. It can’t hurt, and you’re never too safe. Right? Right.

My So-Called Legislators

Recently Tennessee went through a redistricting process, and while I don’t fully understand why, I imagine that part of the reason was to confuse things for people who aren’t really on top of what district they’re in and who they are going to be asked to vote for when they show up at their polling place.

I am pretty Internet-savvy and it took me a good 10-15 minutes of research to find out what House and Senate districts I’m in now and whether I was redistricted into them, and I still can’t get a clear consensus on who I’ll be voting for in the TN Senate race. The US House is finally clear: I’m in the DesJarlais/Stewart race after being moved from District 6 to District 4. The US Senate seat up for election is Bob Corker’s, easy peasy.

In the TN House, I’m still in District 34. Ok, great. If I look at the sample ballot from the Rutherford County election commission, I’m told I can vote for either the incumbent Rick Womick or the challenger Luke Dickerson, and this matches a candidate list that I got from the Tennessee Department of State.

But it all becomes a shit-show when I start looking for information regarding what local Senate race I will be voting in.

Can I trust this information?According to the TN General Assembly’s website, I am in TN Senate District 14 and Bill Ketron is my senator “after redistricting.” The Tennessee Department of State confirms that I’m in District 14, but they give me a PDF of candidates that tells me Jim Tracy is my senator (and is in the race I’ll be voting for). The sample ballot I downloaded from the Rutherford County Election Commission also tells me that I’ll be voting for Jim Tracy.

So who do I trust? The Rutherford County Election Commission and the TN Department of State seem like two departments I should be able to trust, right? But what about the Tennessee General Assembly? They’re the only ones of the three to even mention redistricting, and they say that I’m in Bill Ketron’s district. Except I can’t find anything that talks about him being in a race (ballotpedia.org and votesmart.org say his seat isn’t up until 2014, but they also show him in District 13, not 14 like the Tennessee General Assembly does). And I seem to recall in the past being able to vote for or against Jim Tracy, but I can’t figure out if this has changed for sure even after checking three supposedly reputable state election sources.

All of this is made even weirder by the fact that the election is less than a month away and I have not received even one piece of campaign junk mail at my house. The rational part of my brain is happy about this, because it makes my recycling bin lighter. But the conspiracy theorist in me believes this is all just part of a plan to confuse me into not voting since I’m a Democrat in a very, very red state.

I should be able to find reliable, trustworthy information between these three sources, yet I can’t. I can honestly say now—after trying to find an answer to my simple question of “What TN House district am I in, and who will I be voting for/against in the election next month?”—that I can see why people don’t vote. There is no way something this simple should be this difficult to figure out.

And more importantly, if I can’t decide who to trust between the State Department, the General Assembly or the Election Commission, how am I to trust that my vote will even be counted accurately?

A glitch in my system

If you’re reading this directly on my site and not through an RSS reader, you might be wondering what’s up with the theme.

Funny story. And by “funny” I mean “not funny” and by “story” I mean “incident with some hackers.”

For the last couple of years I’ve been using Woo Themes for my theme, and a year or so ago they had some trouble with an exploit of their timthumb.php file. I did the recommended updates, changed passwords, etc., and a scan of my files told me I was in the clear. I update my WordPress installs regularly, and a call to Bluehost told me that there were no back doors to my site.

Fast-forward to today, and just as I finished vacuuming the stairs I got an email from Bluehost telling me that my web hosting had been deactivated because I had broken their terms of use. For having malware on one of my sites.


I called them up, and after waiting nearly 45 minutes was told that this morning they had identified a script on this domain that was causing issues with the server it’s hosted on. They removed the script and deactivated my hosting account as a way to get my attention and say hey, asshole, fix your shit.

The man I spoke to from Bluehost’s tech support team was really, really great. He was sympathetic to my plight, and ran several scans on my entire account to ensure the exploit only affected this one domain. From what he found, there was only one file that was placed, undoubtedly back during the Woo Themes issue, and nobody had bothered to come back and try to mess with my site until today, when Bluehost noticed the issue.

Although their team had already removed the offending script, he went ahead and ran a few more scans while I was on the phone just to be sure. Because nothing else turned up, he didn’t feel it was necessary to wipe my entire hosting account, but did suggest I wipe the domain that was affected and reinstall a fresh version of WordPress.

I’ve spent the last 30 minutes exporting content in various forms and making note of any custom CSS and core file changes I’d made, but because my database could have been compromised I didn’t want to import it into the fresh install. So I am going to rebuild the site by hand, design-wise at least. It’s not exactly how I wanted to spend my weekend, but you can’t always get what you want.

Thankfully I was already making regular backups of my content, so I knew that even if Bluehost had to completely wipe everything before I got a chance to get any files, I would be OK.

I’ve been cracking down on myself lately with Internet security, but I think this (and a recent Yahoo address book issue) serves as a good reminder that you should never feel like you’re untouchable. While I can’t afford the services of companies that vow to keep your site safe and remove any malware that’s detected (those run about $300/year, which is insane for someone who doesn’t make any money off her blog), I can do a better job of trying to keep my site as secure as possible.

Running Diablo 2 on Mac OSX Lion

In between bouts of frustration with my piece-of-crap scanner today, I got on a retro video game kick. It started with playing a few rounds of Tetris, and then I beat Super Mario Bros. 2 in about 30 minutes.

Then I decided to fire up the Diablo 3 beta, but after seeing it was still in maintenance mode and not available, I got the bright idea to see if I could get Diablo 2 to run on my MacBook Pro. With the release of Lion, Apple killed their support of PowerPC (read: pre-Intel processor) applications, referred to as Rosetta. Diablo 2 is a PowerPC game, which should mean that I am unable to play it on my MacBook Pro that runs Lion.

But the Internet is full of resourceful, clever people, and it didn’t take me long to find a way around this. There were many solutions that involved Boot Camp or partitioning my hard drive and installing an older operating system on one of the partitions, but that seemed like overkill just to play a video game for a few weeks out of nostalgia.

Luckily, I found a blog post by a guy who had a much easier way. All I had to do was download the Windows (not Mac) installer from Blizzard (made possible by entering my original CD keys at Blizzard’s Battle.net), download the free trial of an application called CrossOver by CodeWeavers, and then use that program to install the Windows version of Diablo 2 and play it.

It’s not perfect—I can’t play the game in fullscreen and the default window is pretty tiny. I couldn’t play through the whole game like this for sure. The application is $40, too—not an investment I would be willing to make unless fullscreen was available, and even then I don’t know that it would be worth it. I’ve only got to wait a couple more months for Diablo 3, and I have plenty of other video games waiting on me to play them.

But it was neat to revisit Diablo 2 and my favorite of its classes, the Amazon. I logged onto Battle.net in-game, too, and it was kind of sad to see how the chat had devolved into nothing but spam. I’d heard Blizzard wasn’t really policing their servers, and it shows. Hopefully Diablo 3 will be better managed.

Diablo 2

Oh, Bonnaroo

You’d think after 11 years they’d get that when tickets go on sale, a lot of people are going to want to buy them. Today at 10:30 a.m. I perched in front of my laptop, dutifully waiting for 11 a.m. so that I could buy tickets for Ian and I, hopefully at the lowest price point ($20 per ticket lower than the highest price).

Screw you, Bonnaroo

After two and a half hours, I shut down the computer without a single ticket. I felt kind of insulted; I’d been kicked out of the system, given “unknown error” pages, had my browser(s) crashed multiple times. The one time I finally made it to the page where I could enter my credit card information I was told I’d taken too long and had run out the 15 minute clock. It literally took 14 minutes and 40 seconds to get through three pages to the final stretch, and then I got the big middle finger.

Eventually Bonnaroo took their ticketing system offline and replaced the fun graphic on their website’s home page with a note saying they’d be back later to let us know what’s going on. Around 8 p.m. I found a message on their Facebook page saying they’d let us know by Monday night when tickets will be going on sale. Again. Let’s hope they can get their shit together by then.

Otherwise, Ian and I are going to The Hangout festival instead.

Believe it or not, I need to practice my smack-talk

A week ago, the closest I came to caring about football was getting excited about tailgating before the MTSU games and then stumbling into the stadium in just enough time to buy popcorn and catch the end of the fourth quarter.

And now, all of a sudden, I’m playing in two fantasy football leagues and trying to figure out when I need to scream at the TV and when I need to silently plead with my players to not fuck me over. Ok, I’m also trying to figure out how to remember who all I have on my teams.

Also: A big middle finger to whoever designed the UI for the Yahoo and ESPN fantasy football sites. It’s as if some assclown with a master’s in annoyance was given full-reign over Microsoft FrontPage and decided to try for his PhD in confusing the ever-loving shit out of anyone who would access these sites.

As if fantasy football isn’t stressful enough already.

And once again, life gets in the way

I know nobody cares, but it bothers me when I’m bad about blogging. Because ultimately I’m keeping this record of my life for myself, as selfish as that sounds, so that in 10 or 20 or 30 or 40 years I can look back and see what I was up to at a certain moment in my life. And laugh at myself, undoubtedly.

So I was going to recap my New Orleans trip and talk all about how awesome the train was, at least for the first couple of hours, and how I liked walking back through the cars as the train was moving, getting jostled from side to side and seeing the world fly by me out the windows the most. And I was going to tell funny and scandalous stories about the times my friends and I had while in New Orleans, starting with how Ian and our friend John started drinking about 8 a.m. on the way down there, and how by the time we got to the train station in Birmingham John had consumed seven beers and a 4Loko and was yelling out the car window as we drove through the ghetto to find a parking lot.

And I was going to detail how excited I was to be in New Orleans and run into an old, old friend of mine—like, someone I was BFFs with all through elementary school—made possible by checking into a bar on Facebook, of all things. And I was going to recount the fun we had at the St. Patrick’s Day parade that night—old friends, current friends, and new friends all celebrating together—and then how Ian got lost for a short period of time and once again Google Maps and GPS on my iPhone saved the day.

But time has passed, and some stories are better recounted in person, told time after time in bars and at cookouts instead of immortalized by the pen of the Internet. Some things are best held close by the people who experienced them, and not everything has to be validated by blog entry or tweet or Facebook update.

But mainly I’m just lazy.

What’s in a (domain) name?

In the nearly four and a half years that I’ve been blogging, my blog’s URL and name have changed a few times. I know it’s annoying, and I thank you for sticking around. And I’m sorry for the following question, but I am having a bit of an identity crisis and I need help.

Regular readers of this blog know that last year I got married, and subsequently changed my name from Megan Goodchild to Megan Morris. While Megan Goodchild was a great name to use online, where consistency is key, it was a pain in the ass in real life most of the time. (“Oh and are you a good child? Heeheehee!” Yeah good one there, Dane Cook, you’re totally the first person I’ve heard that from in 30 years. )

Megan Morris, on the other hand, is an awesome real-life name (I realized shortly after changing my name that I was flinching before saying my maiden name out loud. And as a bonus, Megan Morris has a nice alliteration to it and kind of sounds like it could belong to a redheaded siren holding a pint of Guinness in one hand while punching a leprechaun with the other), but nonetheless it has posed some problems for my online identity.

When I registered this domain, I was trying to decide between megmorris.com and meganmorris.net. I decided against the .net convention, and was somewhat OK with megmorris because 1. my mom and sisters call me Meg, and 2. if you take into consideration my initials including my maiden name, megmorris accurately reflects my name (Megan Emily Goodchild Morris).

But here’s the problem: I don’t want to retain my maiden name. And nobody but my mom and sisters (and the occasional old friend) calls me Meg, so when I get emails or tweets from someone I barely know calling me Meg, it kind of freaks me out a bit.

Several months ago I set up a new Google ID and Gmail account for this new name, which was tricky in itself. Google doesn’t allow you to use IDs that are anywhere close to what someone else has, so even though someone had already taken meganmorris, I couldn’t be megan.morris. I think even megmorris was taken, so I eventually decided to incorporate my middle name and selected meganemilymorris. I have never used my middle name for anything, personal or professional, but it seems to work and I like it just fine for a secondary email address and a Google ID.

Which brings me to my current quandary: Do I keep this blog here and build out my main website on megmorris.com as well, even though I’m not super happy with the domain? Or do I move everything over to meganemilymorris.com, which I already own, to kind of make things more consistent (and reflect my name more accurately)? Or is there something else I should do entirely? I’m looking for a solution that keeps search-engine optimization in mind but also reflects me.

(And waiting for meganmorris.com to open up doesn’t seem to be an option. There’s a chick blogging there who doesn’t seem like she’s going to quit any time soon. And I think emailing her to ask if she’s married or planning on getting that way seems a bit, um, creepy.)

So what say you, Internet marketing specialists? Or anyone? Thoughts?