#this was a request from an anonymous person on my first iteration of this blog but i was so proud of it that i saved it so here it is again
Explore tagged Tumblr posts
Visit Tumblr Blog
Explore Tumblr blogs with no restrictions, modern design and the best experience.
Last Seen Tumblr Blogs
Fun Fact
In 2020, Tumblr had 29.4 million users in the US.
Text
"Camera"
It's ironic, isn't it? That I fell for you, a YouTube star, of all people. I hate being on camera. I don't even take selfies, like most people my age do. It's not even that I'm particularly insecure about my looks, I just... don't want any attention.
You have millions of followers on social media, and you post pictures and videos of yourself for all the world to see, every day. So many people react to them, telling you how attractive you are, and I always wonder how that makes you feel. It would mortify me.
We're sitting in the car, and I'm in the passenger's seat next to you. Your brothers are in the back seat, and your right arm is around my shoulders while you steer with your left hand.
"Say 'hi' to the camera!" Chris says, pointing his phone at us.
"Chris, get that thing out of her face!" you say, reaching back and knocking the phone out of his hand.
"Whoa, calm down!" Chris says, getting visibly upset. "I wasn't gonna post it, you know that. I was just gonna text it to you and then delete it."
You roll your eyes and shake your head. "You know she doesn't like that shit," you mutter.
"Yeah, well I don't see why it's such a big deal anyway," Chris says in an exaggerated tone of voice.
Nick chimes in. "Chris, you need to take it down a notch," he tells him. "Be respectful of her. If she doesn't want to be on-camera, then she doesn't have to. Period."
"I wasn't gonna post it!" Chris reiterates, annoyed at the insinuated accusation.
You sigh, not wanting your brothers to argue with each other. I know how much it stresses you out whenever they do. "Just stop," you tell them.
Luckily, they listen to you this time.
Your next YouTube video is a car video. I won't be joining you - I never do - so I always have to wait until the video gets posted in order to know what you guys filmed together. It doesn't bother me, because I know it's an integral part of your career.
While you go out to film, I'm by myself inside of the house. I scroll through endless comments on social media of people trying to speculate who I am, exactly. They only know that I'm your girlfriend, since you came out in a video explaining that you're now in a relationship; but people are getting curious, suspicious, and downright invasive, honestly.
When you come back from filming, you give me a big hug. "How are you doing?" you ask me.
"I'm fine, you guys weren't even gone for that long," I smile at you.
You kiss my forehead. "Good," you tell me. "I hope I did you proud in this next video."
I raise my eyebrow. "What does that mean?" I ask you.
"I'll let you look at it once Nick edits it," you say. "Before we post it, I promise. I want you to approve before anyone else sees it."
I won't lie, I'm kind of nervous about it. I already had a terrible experience with an ex who tried to doxx me, and even sent my nudes out to people. You know this, and you're the only one who does. I don't know if you told your brothers, but I trust you enough to do the right thing.
The next day, Nick sits me down in his room at his computer. "Okay," he says to me in a gentle voice. "I'm going to show this to you, and I want you to be 100% honest with me. If there is anything you want me to take out of this video, just say the word, and I will. Got it?"
I nod, unable to speak. My heart is in my throat. I just want to get this over with.
Nick presses the play button.
"Okay," I watch you say on the screen. "I'm going to start this video off with a very important topic, because I feel like this needs to be said." Your eyes are very serious, and I feel like I already know what you're going to say. "You guys... we love you. You're our fans, and we appreciate you, but... you guys need to back off and give us privacy when we say to."
My eyes widen. I am stunned. I very rarely see you this seriously passionate about anything.
"My girlfriend is a real person, with real feelings," you continue. "She has her reasons for wanting to stay private, and you guys have to respect that. I don't wanna see any of this, 'Oh, I think this is her!' or, 'Oh, she's in this picture!' like, just stop. It's beyond irritating."
Nick is nodding his head in the back seat, agreeing with what you're saying.
Chris looks like he's about to interrupt you, but you hold out a hand to stop him from speaking, while keeping eye contact with the camera.
"And, for the record, she doesn't owe you an explanation," you say. "If and when she is ready to come on camera, then she will. If and when she is ready to talk about her experiences, then she will.
"You guys get a lot of content from us, and we try not to hide too much from you, because you are the reason we're famous. But my girlfriend doesn't want to be famous. And that's her choice. So I'm not asking you anymore, I'm telling you: back off.
"Okay, I've said my piece," you say, turning to Chris.
Nick pauses the video. "That's all he said about you," he assures me. "After that, we changed the subject. Is this okay to post?"
I can't stop the tears from falling down my face. "I'm sorry," I sob quietly into my hands.
"What!? Sweetie, no," Nick says, rubbing my shoulder comfortingly. "Listen, Matt told me what happened. And that is absolutely not your fault. Okay? We don't want to victimize you again. That's not what we're about. We'll always stick up for you."
"What about Chris?" I ask Nick, sniffling. "Does he know?"
Nick shakes his head at me. "Matt hasn't told him, yet. He didn't know if you wanted him to know."
I take a deep breath to try and calm myself. "Well, maybe he should know, too," I concede.
"Do you want to tell him, or do you want me to, or Matt to?" he asks me.
"I think... I think I want you guys to help me tell him," I answer, wiping away my tears.
"Okay," Nick says. "I'll go get Matt and Chris."
I wait for you all to come back, and the tears flood down my cheeks once more.
You are the first to return, and you immediately hold me in your arms. "Hey, shhh," you shush me, stroking my hair comfortingly. "It's going to be okay."
I nod against your chest. "Thank you for sticking up for me," I say.
"I always will," you tell me. "Always. No matter what."
#this was a request from an anonymous person on my first iteration of this blog but i was so proud of it that i saved it so here it is again#matt sturniolo x reader#fic#txt#op#pov: yours
45 notes
·
View notes
Text
Hello everyone, and welcome!
We are the denizens of the wonderous world we all know and love. And we have all gathered here to speak with you! Got anything you desire to say, ask, or send our way? Do it anytime you wish, and we shall respond - through our voices! - We are voice acting enthusiasts, some of whom, you may have already heard in some Rain World fan projects. You can send anything at a character - images, art, questions, ideas, videos, whatever you wish! And the character shall react - just like in any other askblog. But the difference is not just that we use voiceovers to answer (instead of art), but that the process is fully collaborative. As the VAs of the characters all have full creative control over what they say, instead of following the standard practice of one person writing/deciding everything.
Important things to note (please read before submitting):
When you send us something, make it abundantly clear which character you're addressing. You're allowed to address multiple, or even the entire cast.
NSFW submissions are not allowed. Mildly suggestive ones are fine, but they will not get a response, if the character you're addressing has a minor as its VA, or an adult that would be uncomfortable with it.
This project is fully non-canon. VAs are allowed to use headcanons and personal interpretations when answering. It's also not really meant to be serious, so feel free to send us silly stuff :3
You should only submit things for characters that actually have VAs, as you wouldn't be able to get a response otherwise.
List of available characters, that you can currently send stuff to:
Survivor - @oliverwritesnow
Monk - Spooky ARK
Hunter - @astur-x
Nightcat/Watcher - @areon103
Gourmand - @fadebolt
Artificer - @arti-draws
Rivulet - @daikonical
Spearmaster- @dysfunctionalcore
Saint - @imjayig
Inv/Enot - @isnt-a-blog-blog
Looks to the Moon - @mewguca
Five Pebbles - @cctv-catgirl
No Significant Harassment - @ifoundthishumerus
Seven Red Suns - Cowboi
Sliver of Straw - Anonymous by request
Chieftain Scavenger - @unrealwasas
Lizards: Green, Pink, Blue, Red, Caramel, Eel - @asdasdasdasd1840
More Lizards: White, Salamander, Cyan - @astur-x
Black Lizard - @unrealwasas
Train Lizard - Spooky ARK
Scavenger - @unrealwasas
Other creatures: Squidcada, Lantern Mouse, Pole Plant, Yeek - @asdasdasdasd1840
The person primarily running this project and blog is me, @fadebolt. If you wish to voice act a character yourself, shoot me a DM, either here, or in Discord (my name is also 'fadebolt' there, and I'm in the main RW server, so finding me should be easy). There's absolutely no limit with the characters you could ask to VA. Slugcats, iterators, ancients, echoes, scavengers, any other species... they're all available! We also aren't limiting ourselves to just the base game. Characters from Downpour, characters from mods, OCs, and non-canon characters in general are also available (though if you're planning to VA a character owned by someone else, then make sure to consult them first). Just... don't ask for characters who are already taken. Asking to be a backup is fine (in fact, backup VAs would be more than welcome), but we're not stripping anyone of their role, just because someone else asked for it as well. This post will be regularly updated, with the list of all the taken characters, and their VAs. Characters who are not on the list do not have VAs, and are fully open.
Submit your OCs, to be featured on the blog:
If you're looking for some elaboration on the OC thing, you can find it within this post.
#rain world#rain world downpour#rainworld#rw downpour#slugcat#rw slugcat#rain world askblog#rw ask blog#rw askblog#rain world ask blog#rw spearmaster#rw gourmand#rw artificer#rw saint#rw survivor#rw monk#rw watcher#rw nightcat#rw nightwatcher#rw hunter#looks to the moon#iterator#rw lizard#rw yeek#rw squidcada#rw lantern mouse#rw lantern mice#rw rivulet#rw enot#rw inv
47 notes
·
View notes
Text
FAQ & Rules
Hello! Welcome to Monster Kink Meme!
This blog is a source for writing and art prompts for monsters & kinks. Pretty straightforward. Here’s a basic FAQ, mixed with our rules.
What is the point of this blog?
This blog is to generate writing and art prompts, similar to @write-it-motherfuckers and @writing-prompt-s, specifically for exophilia writers and artists.
Can we submit prompts?
Yes! Please do, either through the submission button or through asks. Asks are best for short prompts, or things that you want to keep anonymous. Submissions are best for longer prompts, and cannot be anonymous. We love getting prompts from folks. If you have a request for a story, please phrase it as a prompt. We aren’t a request blog, but a prompt blog.
Who can participate?
Anyone over the age of 18.
How can we participate?
Other than submitting prompts, if you see a prompt that inspires you, write or draw something and reblog it with the original prompt. Also, tag liberally.
Art submitted cannot be anonymous and must be from either the artist who created it or posted with permission from the artist who created it. Do not repost someone else’s art without their permission. This includes using it in moodboards (those collages at the top of stories.)
I see you suggest genders/monsters. Do I need to use those?
Mod prompts will sometimes have suggested genders & monsters. Those are totally optional and can be ignored if something else inspires you.
Submitted prompts that include requested monsters or genders should be considered mandatory, since people submitting those are setting up specific situations they’d hope to see.
Do I need to use a specific tense or point of view? [x]
No! The exophilia community does a lot of writing from second person present tense as a stylistic thing, but that doesn’t mean you should limit yourself to that. Write what feels comfortable to you. If that’s third person, write that! If it’s past tense, then that’s fine, too!
Can I write about sexy stuff? Kinky stuff? Polyamory?
Yes! We leave our prompts open, but if something you write takes a sexy turn, or features extra kinks, or multiple partners, that’s totally fine by us. (As long as it abides by the rules below re: what we don’t allow.) We love that stuff, it’s just that a lot of what we’ve gotten so far has been sweet rather than spicy.
Just make sure you TAG APPROPRIATELY. Use the citrus scale, tag for content (anything that people may want to know about before choosing to read your story), and follow the content rules. (We want consent, no incest, no underage sex, and no bestiality. Beyond that, it’s fair game.)
Where do I find monster inspiration?
We’ve got a post here. The short version? Everywhere! Pop culture. Cryptids. Mythology. Dungeons & Dragons. Video Games. Movies. Your Imagination.
I need writing help. Do you have advice?
We have a post here. It’s got advice from a bunch of us about how to start, how to continue. How to do the thing. The biggest thing is just to go for it. You’ll never get better without doing.
If a prompt has already been “filled,” can someone else write about the same prompt with a different story?
Yep! We’d love to see as many iterations as you guys can think of! (Someone asked Aelia about it, there’s a post.)
Are there any format expectations/requirements for stories?
Generally we like to see something that lists Characters, Content, and Rating, and a Read More link when appropriate.
Characters tells people who/what is in your story. Reader & monster genders would be listed here.
Content would be where you put any tags (see the next question) and warn people about anything that may squick or trigger, as well as any acts or situations that they may be interested in, or which they may wish to avoid. This allows people to make good choices for themselves.
Rating is based on our Citrus Scale.
If your story is more than about 6 paragraphs, or it’s explicit or potentially triggering, we love to see you use a Read More/Keep Reading tag after the first paragraph or two so when we reblog it people don’t have to scroll forever.
How should I tag?
There’s two spots we love to see tags!
1: Ahead of your story. If you put tags before your story, your readers can make informed choices about what you’ve written, and whether it’s a good/safe choice for them. This is where we want to see tags about any kinks, sex acts, or content warnings for readers.
2: In the tumblr tags. This is where you put things to make your story searchable, so DO NOT put NSFW or “sexual” tags here, as it will make the post inaccessible by searching. This is where all the tags about citrus scale, monster types, reader & monster genders, pairings, and fandoms that apply should go. Here’s a post about unsearchable tags. Using these tags will make your post “disappear” and we’d hate to see that happen.
We have a handy guide to how we want to see the citrus scale used for stories that people hope to see on our blog.
Overall, USE CONTENT WARNINGS. We cannot stress this enough. We want readers to be able to make informed choices about what they read to avoid “squicks” and triggers.
Should we use the “teratophilia” tag?
We would prefer you didn’t for two reasons: A: teratophilia is no longer a searchable tag, and B: given the original definition of the word (sexual attraction to deformed, disfigured, or monstrous people and a form of paraphilia, I.E. attraction to the disabled), the moderators of this blog feel it is both inaccurate and insensitive.
Most (not all, but most) monster-lover writers now use the much more accurate term exophilia (the love of extraterrestrial, robotic, supernatural, or otherwise non-human life-forms) to describe our work. Robophilia (sexual attraction to robots) and xenophilia (sexual attraction to aliens) is still permissible.
Topics we don’t allow/won’t post/reblog:
Real people (like actors, musicians, and other celebrities)
Incest (including step/adopted family members)
Non-con/dub-con (including rape-play)
Whump (”Hurt/Comfort” fics that focus more on the hurt and less on the comfort. Not to be confused with standard Hurt/Comfort or BDSM)
Bestiality (creatures that don’t possess the mental capacity to consent)
Under-aged/pedophilia (with the minimum age being 18)
Everything else it totally fine.
If you plan on writing anything along these lines using our prompts, please make it a separate post, and do not tag us in it. This is because we want our notes to be relatively safe for people to look through, but also because we don’t want to be associated with things that violate our policies.
We would also like to point out once more that this is a prompt/prompt fill blog, not a request or roleplay blog. If your story/submission does not meet our rules and is NOT a prompt/prompt fill, we will not be posting it on our blog.
Do not plagiarize books/movies/video games for your prompts.
We’ve seen this cropping up a lot recently. We will not post them if we spot them, and if we miss it and someone points it out, it’ll be deleted. [x]
General Expectation for Respect/Sensitivity
We didn’t want to phrase this one as a question necessarily but we wanted to make it clear that on the whole, not only do all of the mods of this blog embrace the idea of an open community, but we endorse appreciation over appropriation, as well as sensitivity and respect when working with creatures from races and cultures that are not your own, or sexualities, or genders which you do not identify with. We love representation, we just want to see it done well.
Mod Traveler has a post on her blog that sums it up well and includes links to educational resources for people looking for more info, but you should be able to reach out to any of us for more information about what we mean.
What are “theme days”?
We (sometimes) have two theme days a week where we request prompts that fit a specific theme. Prompts that come in on those days which fit those themes get posted immediately instead of getting queued.
Trope Tuesday is all about our favorite tropes with monsters mixed in. First Date Friday is about the trials and tribulations of first dates. We currently do them weekly, but that’s subject to change.
What are tropes?
We’ve had a few questions come in about this! We’ve answered it here, and here. But the short version is; storytelling shorthand. Common “cliche” situations that readers recognize, and may have set expectations for. (”Oh no someone is getting married and I need a date!” etc.)
I saw you reblog something from [other prompt page]. Why?
So, we reblog from other prompt pages because we are trying to keep enough prompts in the queue to have stuff posting with consistency. We’ve been trying to share relevant prompt posts from other places (with permission from the other blogs, in every case) to ensure there’s enough content.
I wrote a story but you didn’t reblog it!
If it didn’t violate any of our rules, we just might have missed it in the notes, or it wasn’t about monsters. Please feel free to tag us, or message a member of the mod team directly. :)
Will you post a story I submit to you?
Only if it’s a direct response to one of our prompts, and/or it involves monsters. We’re a monster prompt blog. :)
Do you have a masterlist?
We do! We have one for Fills and one for Prompts.
I don’t like something I saw posted, what do I do?
We can’t control what people post in response to prompts posted here, but we won’t ever reblog something that doesn’t fit the spirit of our blog, and we’ll never post prompts that go against our rules.
With the exception of our explicitly not allowed list, we abide by the “your kink doesn’t have to be my kink, and that’s okay” rule. The tl;dr version of this is “if it doesn’t violate the rules, but you don’t like it, just keep scrolling.”
If you feel it does violate our rules but it slipped through the cracks somehow, please send one of the mods a message, and we will help you out with it.
That’s it! We’ll update as needed! Have fun and get creating!
- Team Kink (AKA: @aelia-likes-monsters, @elizabethtarington, @hufflesmonsters, @monstersandmaw, @cozycryptidcorner, @demonsigh, & @thetravelerwrites)
71 notes
·
View notes
Link
(Via: Hacker News)
Short version:
Zoom meetings are (were) default protected by a 6 digit numeric password, meaning 1 million maximum passwords. I discovered a vulnerability in the Zoom web client that allows checking if a password is correct for a meeting, due to broken CSRF and no rate limiting.
This enables an attacker to attempt all 1 million passwords in a matter of minutes and gain access to other people’s private (password protected) Zoom meetings.
This also raises the troubling question a to whether others were potentially already using this vulnerability to listen in to other people’s call (e.g. the UK Cabinet Meeting!).
I reported the issue to Zoom, who quickly took the web client offline to fix the problem. They seem to have mitigated it by both requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer.
On March 31st, Boris Johnson tweeted about chairing the first ever digital cabinet meeting. I was amongst many who noticed that the screenshot included the Zoom Meeting ID. Twitter was alive with people saying they were trying to join, but Zoom protects meetings with a password by default (which was pointed out when the Government defended using Zoom).
Having also tried to join, I thought I would see if I could crack the password for private Zoom meetings. Over the next couple of days, I spent time reverse engineering the endpoints for the web client Zoom provide, and found I was able to iterate over all possible default passwords to discover the password for a given private meeting.
UK Government Cabinet Meeting, over Zoom, clearly showing the meeting ID. The government have reassured the call was password protected.
Background
After trying to join the Cabinet Meeting, I poked about in the Zoom app and noticed the default passwords being 6 digits and numeric, meaning 1 million maximum passwords.
A fairly standard principle of password security is to rate limit password attempts, to prevent an attacker from iterating over a list candidate passwords and trying them all. I assumed that Zoom would be doing this, but decided to double check.
I decided to target Zoom’s web client, but my findings apply to meetings initiated and conducted via all version of the app too.
Meeting Login Flow
When a user creates a new meeting, Zoom auto generates a link for people to join, in the form (dummy data below):
https://zoom.us/j/618086352?pwd=SE5OWjE6UDhwaDVJR3FJRzUyZUI3QT09
It contains both the meeting ID and the auto generated password. I believe this password is a hashed version of the 6 digit numeric password, but I also found that swapping it out for the 6 digit numeric version is acceptable to the web client endpoints, so we can ignore the hashed version and concentrate on the numeric version.
If you remove the pwd parameter then visit the web client join link (https://zoom.us/wc/join/618086352) then you will see a login screen:
Filling this in takes you to a privacy policy page:
This seems to fire off an XHR GET request then take you to another page.
Breaking down the flow behind the scenes
There are several things going on as you move through this flow:
When you first open any web client page, without an existing cookie, a cookie is set which, amongst other bits, contains a GUID. This seems to be your anonymous user ID.
If you fill in the user/pass form but haven’t completed the privacy agreement you are redirected to it. Completing it is a simple GET request to a given endpoint, which contains your GUID. There is a CSRF HTTP header sent during this step, but if you omit it then the request still seems to just work fine anyway.
When you submit a username and password, you are 302 redirected to another page, irrespective of whether you got the password right or wrong. You will get a 200 response if you haven’t completed the privacy policy.
The redirect will take you to a new page, which seems to know server side whether your GUID has previously entered the correct password. i.e. The previous step stored state server side marking whether you got the password correct.
The failure on the CSRF token makes it even easier to abuse than it would be otherwise, but fixing that wouldn’t provide much protection against this attack.
This process is a little convoluted to automate, which is maybe why this endpoint has not been scrutinised in detail before. There are some details I’ve skipped over, such as parameters that need to be saved from one request to another, but they are not important to understanding the main issue.
Cracking passwords
The important thing to note about the above process is that there is no rate limit on repeated password attempts (each comprising of 2 HTTP requests – one to submit the password, and follow up request to check if it was accepted by the server). However, the speed is limited by how quickly you can make HTTP requests, which have a natural latency which would make cracking a password a slow process; the server side state means you have to wait for the first request to complete before you can send the second.
However, we should note that the state is stored against the provided GUID, and you can ask the server for as many of those as you want by sending HTTP requests with no cookie. This means we can request a batch of GUIDs and then chunk the 1 million possible passwords up between them and run multiple requests in parallel.
I put together some (fairly clunky) Python that requests a batch of GUIDs then spawns multiple threads so they can run requests in parallel. An initial test running from my home machine with 100 threads:
===FOUND PASSWORD=== Password: 170118 Passwords tried: 43164 took 28m 52s 392ms
We can see we are checking about 25 passwords a second, and discovered the password (in this example I knew the password so had bounded my search). I ran a similar test from a machine in AWS and checked 91k passwords in 25 minutes.
With improved threading, and distributing across 4-5 cloud servers you could check the entire password space within a few minutes. This would be fairly simple to do, but I resisted as I had demonstrated the process and wanted to be cautious not to interrupt Zoom’s service (I did do some short higher rate tests and never got throttled or blocked).
Note also that the expected time to find a password would be shorter, as you would not normally need to search the entire list of possible passwords.
Also note that recurring meetings, including ‘Personal Meeting IDs (PMIs)’ always use the same password, so once it is cracked you have ongoing access.
The initial version of my attack could only be run once a meeting started, but I later found that the DOM for un-started indicated whether the password is correct vs incorrect, meaning you could crack scheduled meetings too.
Zoom Password Issues
Firstly, note that whilst it doesn’t seem possible to change the 6 digit numeric password for spontaneous meetings, it is possible to override it for scheduled meetings, but is an explicit step to change the default password provided. I checked about 20 Zoom meeting invites I’ve received in the past, from various people, and found they all used the default 6 digit password.
If you do override the password and produce a longer alphanumeric password, then a 6 digit numeric password may be produced anyway for phone users. This password is not accepted, at least on the endpoint I was trying for the web client. I’m not sure if this is true for other endpoints – I didn’t check.
Also note that if the password was to be updated to alphanumeric, I estimate you could still run across a password list of, say, the top 10 million passwords in less than an hour.
In other testing, I found that Zoom has a maximum password length of 10 characters, and whilst it accepts non-ASCII characters (such as ü, €, á) it converts them all to ? after you save the password.
Could someone have eavesdropped on the UK Cabinet Meeting?
Lastly, I noted in Boris Johnson’s screenshot, that there is a user called simply ‘iPhone’ (see bottom right) that is muted with the camera off:
There was an unnamed, muted & hidden participant in the Cabinet Meeting
It got me wondering whether this flaw has previously been found — if I could discover it then it seems plausible that others could too, which makes this bug particularly worrisome.
Remediation
The high level recommendations I passed on to Zoom for fixing this were:
Rate limit GUIDs to a reasonable number of password attempts (e.g 10 [different] failed attempts in an hour for a given meeting)
Rate limit IP addresses, irrespective of GUID, for password attempts (irrespective of meeting ID)
Rate limit or trigger a warning should a given meeting pass a set failure rate for failed password attempts
Fix the CSRF on the Privacy Terms form, so it is harder to automate attacks.
Increase the length of the default password.
As far as I can tell (Zoom hasn’t given me any insight into what they did to mitigate the issue), it seems Zoom has made a couple of changes:
Started enforcing sign-in for users joining meetings via the web client; it is unclear if this is a permanent change or not (it is a problem for some users as I understand).
Updated default passwords to be alphanumeric instead. This seems to be in some phased rollout as I’m still sometimes seeing numeric only passwords.
Zoom Response
I reported the issue to Zoom directly, and they quickly took the whole web client offline for a few days whilst they triaged the issue, it came up again a few days later.
I’m aware Zoom have been under a lot of scrutiny for their security practices given their sudden spike in usage brought about by the COVID-19 pandemic. From my interactions with the team, they seemed to care about the security of the platform, and their users and they seemed appreciative of the report.
Zoom run a private, invite only, bug bounty program, which is a fairly common practice for lots of organisations. I was invited to submit this bug to the bug bounty program, but I asked to wait as I was interested in the new bug bounty program they were working on. I wondered if the new program rules would guarantee consent for disclosure, given I felt this was a bug of public interest. Zoom agreed I could submit the bug under the new program when it was launched.
Unfortunately, I’ve not seen anything regards a new bounty program, and haven’t heard back to my recent messages to Zoom (I’m sure they are busy and this bug is fixed, tbf). Therefore, I’m disclosing the bug (they had agreed to disclosure), given it has been fixed for a while.
I did submit a couple of other small bugs via the private program on HackerOne, and received bounties for those. Thanks Zoom team! 🙂
Wrap up
It was surprising to me that there was a lack of rate limiting on the central mechanism of the platform, which combined with a poor default password system and faulty CSRF meant that meetings were really not secure.
However, Zoom’s response was fast, and they quickly addressed the rate limiting issue. Zoom meetings also got a default password upgrade, which is great.
Zoom’s ease of use and video conferencing quality have made it a hugely valuable tool for millions of people over the last few months, during what is a tough time. Many (most?) are using it entirely for free. That is a great thing, and I’m grateful Zoom exists. Thanks Zoom team!
Timeline
1st April – I reported the issue to Zoom, with a working Python POC. I sent this via their generic support form, and via email.
2nd April – I followed up with a draft of this post as additional explanation, and a better commented version of the Python code. I tweeted at Zoom to ask about a status, and in DMs with them passed on the ticket number.
2nd April – Heard from their team they were looking (this was about 24 hours following my report), then received a follow up from Zoom’s CISO.
2nd April – Noted that the Zoom Web Client was offline, returning a 403. This also affected the web SDK.
9th April – Heard from the Zoom team that this was mitigated.
16th April – Heard they were working on updated bug bounty program.
15th June – Requested update on BB program. No reply.
8th July – Asked again if I could submit this for bounty. No reply.
29th July – Disclosure.
0 notes
Text
Ep 1 Transcript Under Cut
Nick: Hello and welcome to Adulting with Autism. The podcast based on the blog, based on the movie, based on the book
Liz: Based on the Broadway flop
Nick: Yeah, it was terrible. No-one went to see it. I’m Nick
Liz: I’m Liz
Nick: And together…we’re almost a competent adult
Liz: Yeah we’re getting there
Nick: We are. We’ve been running the Adulting with Autism blog for a number of days
Liz: An amount of time
Nick: Yes, and it gained an amount of popularity over those amount of days
Liz: Yeah a surprising amount actually.
Nick: Yeah. So we decided, like anyone who’s on the internet in 2017 it was time to do a podcast
Liz: So we’ll be taking questions from the blog and answering them as best we can, maybe having a bit of a discussion. And anything that isn’t addressed on the podcast will be addressed on the blog
Nick: Yes. You can say “no, I don’t want to be part of this” or just message and say “I don’t want this on the podcast”. We’ll just answer it on the blog, as normal. Still want to keep that running but this seems like an interesting format to discuss the sort of stuff you’ve been sending in
Liz: So the first question that we’ve got, more of a request really, comes to us from tumblr user weinerdoglattes, who, excellent URL by the way, who wants us to talk about discussing a new diagnosis as an adult. Sort of how to bring that up and talk about with people, really
Nick: Ooh I don’t know, really. Do we have any relevant expertise in recent adult diagnoses?
Liz: I dunno, it was over a month ago
Nick: Yeah a whole month ago, that’s an ancient diagnosis you’ve got there
Liz: (laughs) Certainly from my own experience I started out talking to people who already knew about autism so I didn’t really have to explain too much. Then it was time to tell my Mum. Which…I say that like it was a horrible experience but it really wasn’t too bad. But my main advice would be to limit it to the basics, because there’s not a lot of awareness of autism beyond “oh I’m quiet and I like maths.” Neither of which is the case for me. At all.
Nick: No, you hate numbers. You’ve declared a vendetta against them
Liz: I have. A vendetta not one vendetta though because that would be counting. So that would definitely be my main advice. But also, as you said in your ask, actually, talking about how it might be more obvious as you get older because there’s more stress, more sensory input, talk about how that means it could be very easily overlooked. And I don’t know your gender, weinerdoglattes, but it’s very common for women to be underdiagnosed or to be diagnosed as adults. So I don’t know if that applied to you generally but it’s…
Nick: It’s definitely a thing.
Liz: Yeah, for anyone who has similar query, that might also be worth mentioning
Nick: Definitely
Liz: Do you have anything to add?
Nick: I mean you were diagnosed as an adult, so I think you’ve definitely got the more relevant viewpoint on this score, but I just want to back up everything you’ve said there. It’s good to stick to the basics, really, when it comes to informing people
Liz: And if they do want more information you can always point them at things like the Autism Self-Advocacy Network, which is a really useful resource, that and the National Autistic Society were really useful resources for explaining the whole concept to my family
Nick: Yeah those are really well done sets of resources, definitely things I’d recommend
Liz: I mean, they’re not perfect, but…
Nick: But they’re pretty good
Liz: A good starting point, if you don’t want to have to explain the basics
Nick: One thing that’s good to impart is to explain that yes, here’s the basic textbook idea of it but it’s always good to tell people there’s a lot of variation, y’know, everybody’s quite different. Even if they have similar problems they’ll manifest in quite different ways
Liz: Well yeah, even if you just look at sensory issues, the two of us have very different issues with certain food textures.
Nick: Yeah, that’s definitely true
Liz: Like, you won’t eat crisps, but I love crisps. But I hate the feel of cooked apple. The texture, and the taste, and just everything about it, whereas you’ll just inhale apple pies
Nick: I love apple pie, it’s my favourite kind of pie. So, yep, that’s basically apple pies are good, crisps are bad and you should take it one step at a time. That’s my advice to you
Liz: Yeah, that seems a good summary. Good luck weinerdoglattes
Nick: You’re gonna need it. Take my advice
Liz: Don’t say that!
Nick: Well if you take my advice. Liz gave some good points
Liz: (laughs) Shall we do another question?
Nick: I think we should
Liz: Do you want to read this one?
Nick: Okay. “Is it normal/common for autistics to get chills easily? I find when I'm watching movies, listening to music, what have you, I often get chills if something even remotely sparks emotion in me. It's like the Emotion® becomes Too Much™ and I'm suddenly teary as a result. Thoughts?”
Liz: Okay, so autistics are generally thought of as having low empathy, but you can also have a thing that, certainly I’ve seen referred to in the online community as “hyperempathy”. Which definitely sounds like what you’re describing, sort of picking up on the emotions of the situation to the point where you just can’t control your own emotional reaction. I mean, you get that a lot, don’t you Nick?
Nick: I do get it a lot. I mean, I will cry at almost anything. Just a ridiculous amount of things. Emotions are happening, I’m just there, I am movéd.
Liz: Movéd?
Nick: Yes, I am movéd by the emocións.
Liz: It’s so emotional, that you become early modern
Nick: Indeed. Indeed so I do that thing in which I am early modern in my patterns of speech.
Liz: Forsooth
Nick: Forsooth indeed. Yeah I often experience that, but you don’t so much, you don’t tend to get emotional over…
Liz: I do not do the empathy thing. I can identify people’s emotions and, intellectually, I can understand the cause of them, but I do not empathise
Nick: Yeah, you’re a caring person, you are very kind and thoughtful when anybody’s in distress but yeah…
Liz: I’ve cried at exactly one book in my life, except that it wasn’t so much the feelings of the character as the flashbacks that I got
Nick: I’ve cried at approximately every book
Liz: And film
Nick: Yeah in fact you kept a list, one week, of all the things I got emotional over, because I just have too many feelings
Liz: Yeah, I mean it’s not strictly related to hyperempathy, but when you get someone who gets overly emotional at the concept of the number five…
Nick: The thing is though, it’s really good. It just…fits everywhere. It’s always got a home. Y’know?
Liz: (laughs)
Nick: But yeah, long story short I get where you’re coming from. Obviously not everybody gets that but I’ve got that in spades. I find it’s actually quite useful in some ways because, having depression and stuff like that means I can feel quite emotionally bunged up every so often like “oh no, everything’s happening so much, I need to get everything out”. I feel like it’s good to use that hyperempathy as a sort of release for all of this stuff just like, I know if I listen to this song I’m gonna cry, I know if I watch this series finale I’m gonna cry, so that means it’s a shortcut to feeling something. Which is always nice.
Liz: The emotional equivalent of having a large curry when bloated.
Nick: Yeah. Gets it all out of you
Liz: (laughs) Good
Nick: Yeah, yeah, we went there
Liz: So, in summary, anonymous, that is indeed an autism thing. (laughs) I didn’t think we’d go to poop so quickly
Nick: Yeah and it wasn’t even me
Liz: (laughs)
Nick: I’m usually the one who goes straight for the poop, no, in this instance it was not me.
Liz: Okay, next up we have animatedcalico, who asks “How can I determine what is a special interest and what's just a major fandom I'm in? When I'm in a fandom, I tend to go all in and become obsessed with it. Is there really a defining trait of how I interact with the interest that sets it apart or do I have a large multitude of special interests?” This is…a really difficult question.
Nick: It is. It’s a thinker is that. Oh boy, erm…
Liz: I mean, a lot of parts of special interest are big parts of fandom culture. Squeeing about things, infodumping, obsessions which may either be short lived or last for ages. I can’t really think of a way to draw that distinction
Nick: No, that’s pretty hard. I find though, that there’s very much different kinds of fandoms and different ways of engaging, I see people looking at different aspects. Like, you could know all about the ins and outs of a Stormtrooper blaster from Star Wars or something like that. That feels, to me, more in the area of special interest, if you see what I mean, because sometimes you’ll burrow into the real technical details of it.
Liz: But then you do get neurotypicals who do that
Nick: That is true, it’s a thorny area
Liz: I do think it’s not really possible to make a definite “this is fandom, this is special interest” statement. But I think the thing to bear in mind is it is possible to have multiple special interests, and they can be short lived or last a lifetime, but honestly my main piece of advice would be just try not to think about it. Just enjoy your passion. It’s so rare to find something that you can be really passionate about just…don’t overthink it
Nick: In fact, a lot of the time don’t overthink it is just really solid advice. Unless you’re doing quantum physics. In that case you might want to overthink it. That might be a…
Liz: Yeah but overthinking is, by definition, thinking too much. It’s just that the boundary for overthinking is a lot higher
Nick: That is true. I’d really hate to see what somebody overthinking quantum physics looks like. That would be terrifying
Liz: Their mind just literally explodes. It’s horrifying
Nick: Is it like one of those memes, with the iterations of the mind…
Liz: Those are actually photographs of someone overthinking quantum physics
Nick: Their poor family. Ok, so yeah, it’s good to have passions, and it could be multiple special interests. I guess that problem is that, when it comes to being neurodivergent, it can actually be impossible to tell what aspects of your personality or interests are from the way that your brain is, or from nurture or nature or anything like that
Liz: But as someone with three mental illnesses on top of autism, that is a terrifying rabbit hole that I would recommend everyone stay away from
Nick: The thing is people just cannot necessarily work out the root cause of these things, even if you don’t have mental illnesses, or are neurotypical, I don’t know anyone like that but…
Liz: They must exist, I see them on TV
Nick: They probably exist but those are actors, so they’re just pretending. Even if you don’t have anything like that, it is a problem finding a root cause but, either way, one is not more or less real than the other, if you see what I mean it’s…I don’t want to use the V word because we kind of hate the word “valid” a bit for reasons we’ll probably go into later but, yeah, just because something is a special interest or a coping mechanism or something like that, to me, it’s really no different to just being a thing that you like or that you enjoy
Liz: If it’s an interest with a lower case i or an upper case I, like I said, the important thing is to just enjoy yourself. Enjoy your life. Enjoy your interests.
Nick: Liking things is nice. It’s really nice, it’s the nicest thing you can do
Liz: Apart from loving things. Loving things is great, I highly recommend loving things
Nick: Loving things is superb. That was really interesting question, thank you for sending that in. That was a really thought provoking question and we hope that we answered that
Liz: If not, feel free to yell at us over the internet
Nick: Everybody does. That’s a lie everybody’s been very pleasant in all their messages, as far as I’m aware
Liz: Yeah it’s a lovely community. We love all of you
Nick: Thank you all for being very polite and pleasant in your messages to us
Liz: Ok, we have one more question, it’s from websinz, with a z.
Nick: Sinz. Ooh.
Liz: I think this is more of a me one.
Nick: Okay
Liz: “How do I go about seeing if I have autism? My CAMHS said I needed to be screened for it and then I turned 18. So, I'm not sure what to do. I'm pretty sure I am, and my therapist was pretty sure too. But I'd kinda like an official diagnosis if that makes sense. Apologies if this has been asked before!!!” Ok first off, websinz, it is fine to ask things that have been asked before
Nick: Yeah especially if we keep going as a blog and podcast for a while, we’re probably going to get questions coming up again and again but it’s not fair to ask people to just comb through the archives
Liz: Hunting things down
Nick: We’re gonna try to tag things with the appropriate tags but you don’t want to go through all the different posts. If there’s a question, even if it’s a frequently asked one, we’re always happy to answer
Liz: And you never know, we might think of something to say one time, that we didn’t think of another time. But anyway, basically, the process that I went through was get referral from GP, speak to, I assume they’re a CAMHS, but basically got referred to the local adult autism service, went and spoke to them, got a diagnosis. The fact that you’re already seeing a therapist who is also pretty sure you’re autistic, I would honestly just broach it with them. Either broach it with them or with your GP. I’m assuming that you’re in the UK, because I haven’t seen “CAMHS” anywhere else
Nick: For anyone who doesn’t know, that, I believe, stands for “Child and Adolescent Mental Health Service”
Liz: So, the fact that your CAMHS said you needed to be screened, and your therapist thinks that you’re autistic, means that it should be very easy for you to get a referral.
Nick: That’s a lot of stuff backing that up
Liz: Yeah and a lot of places do have specifically adult focused autism services. Some of them even allow you to self refer but you should check the NAS website whether or not they allow self referral as they differ. Our local one in Bury doesn’t. Just ask for a referral, that’s all you need to do.
Nick: Anyone who’s possibly nervous about asking, if you’re worried about facing gatekeepers of some kind – it’s unfortunate but it does happen. What I’d recommend, it’s helped some people I know, is building up a bit of a list. Going right, sensory stuff. “I can’t stand jams” for instance
Liz: Have you been reading my blog?
Nick: No, just an example. So I can’t abide jam, it is sensory heck for me. I often go non-verbal, etc, any other things.
Liz: And if you’re not sure what exactly the list of autism symptoms is, look at ASAN, NAS, you can get a pdf of DSM-5.
Nick: Yup, you can get stuff like that. Also it’s ok if you’re looking at diagnostic criteria and you feel like you match some of them but not others.
Liz: Nobody matfches all of them. Some of them are impossible to match both.
Nick: Yeah, it’s a descriptor for a wide variety of behaviours and traits.
Liz: You could almost call it a spectrum.
Nick: You almost could yeah, I hope it catches on. So yeah, it’s a spectrum and everyone’s a little bit different. I think that’s what makes it such an interesting community. Good luck with getting the referral and the diagnosis, I think you will.
Liz: it sounds like you’re ¾ of the way there, frankly.
Nick: Best of luck with that, and best of luck to anyone seeking a diagnosis or referral.
Liz: and best of luck with your internet sinz.
Nick: yes, good luck with those. Is that the last question we have?
Liz: Yeah that’s all we’ve got.
Nick: Ok, hopefully you’ve enjoyed listening to our podcast. We’d advertise some underwear or mattresses or something. That’s what you do on podcasts, but we don’t have any sponsors so…
Liz: so enjoy your food and clothing and sleeping areas, whatever they may be.
Nick: I personally eat, clothe, sleep. Dunno about you.
Liz: Sometimes I forget to eat, but I definitely do the other two.
Nick: That’s good two out of three ain’t bad.
Liz: So hopefully we’ll speak to you again, thank you for sending your questions and thanks for sticking with us through what was hopefully 11 minutes of slightly informative rambling
Nick: twice that
Liz: I cannot do maths
N You do have a vendetta against maths
Liz: That’s true
Nick: A single vendetta. So goodbye dear listeners
Liz: Dear listeners?
Nick: Yes, I’m being nice. They’re dear to me
Liz: Ok
Nick: They’re my friends. So goodbye listeners, do send us your questions or topics for discussion and we’ll hopefully be up with another episode soon.
4 notes
·
View notes
Text
Managing a blog page for a group or organization can be fun and rewarding – a phrase that should immediately toggle the cautionary button.
It’s that time of year for our annual writer’s group conference in mid-March. Since I blog somewhat regularly on WordPress, I was asked to revamp an outdated WordPress page to post presenter profiles, interviews, and conference news. Essentially, I’d be the ‘ghost in the shell’ to solicit, edit, format, and post articles by other group members.
Hey, I use WordPress all the time. How much trouble could it be?
Looking back, I ignored the ‘check details before proceeding’ indicator, and thought I’d share a few things I learned.
Get a Clear Mission Statement Before Proceeding
Valentina Conde – Unsplash
The group gave me carte blanc to redesign the page, which included an upgrade to a premium page for a small annual fee with access to better template options, widget buttons, and customary links. Nobody had to learn HTML tech-speak or pay a monthly “mortgage fee” to fancy-pants web designers.
That part was the easy.
Once the docket was approved, we created a process for members to sign up for one or more of the over twenty articles slated to print over a time frame of four – five months. First solicitation was met with a silence akin to a high school gymnasium at 2:00 AM. It took a bit of prodding by group officers to get things rolling, but eventually folks stepped up.
Create a New User Account for the Blog
Ludovic Toinel – Unsplash
I blew this one big time. As a WordPress Premium Plan user myself, I hoped to minimize the setup time by creating a new page while logged in with my own account, then adding others for administrators. Updating a page whose original owner hadn’t participated with the group for isn’t the best way to go. Page could be accessed by anyone.
I didn’t have problems with approved members accessing the blog and creating a post, but like Facebook, the WordPress folks like having an “owner” available for everything. Since I revamped the page while signed in on my personal account, only way I can unlock myself is if I delete the account. The annual bill hits my account every year like the return of robins in spring. Every year I have to rebill the group. I’m still working on a third-party Paypal invoice option.
Twenty-twenty hindsight; start fresh.
First, sign out first from any personal WordPress and Email accounts that are open.
Create a new group email and sign-in credentials if one is not available. I found Gmail to be work best. May sound like a Homer Simpson “duh”, but make sure officers know how to access it.
Then go to WordPress and create new account, using group email.
Have fun building the chosen template to fit your needs.
Be sure to include group’s mission statement in the blog page “About” profile.
Have more than one administrator assist with the management of it. I suggest offering a cocktail or two before making your pitch.
Select Template to Suit the Group’s Brand
From: blogaholicdesigns
I love WordPress because they take the pain out of designing a page. They have lots of them for writers and authors, and the web is chock full of outside designers who create WordPress compatible temples. You want it to be easy to read, not splattered with visual frilly things that distract from the text. Save that for a personal blog that celebrates all things unicorn.
I stuck with the same template I use for my personal page because I’m lazy, and the Chateau Theme has a good balance of widget placement, logos and link options.
I’ll not go into details of initial page set up. WordPress is fairly easy to navigate, and numerous Youtube videos exist from people who don’t get out much. Best advice I have in how to organize the page:
I’ve always believed a picture tells a story, even if it’s a simple message. Not everyone agrees, but to me, a blog page becomes it’s just another bunch of words in an overcrowded blogosphere universe. And since the graphic is the first visual a reader sees, make it a good one.
I went all out on my personal page on dtkrippene.com. Took me weeks to find that perfect graphic to represent my brand, “Searching For Light in the Darkness.” For a writer’s group, we agreed something less snazzy to be appropriate.
Ready, Set, Blog – Wait …
To fill in that vast empty draft space, articles authored by other group members should be submitted with the following criteria.
Micah Boswell – Unsplash
Article typed in Times-New-Roman, 12 Font, preferably on Word for Window’s, or compatible program like Open Docs. The days of handing a secretary handwritten notes for letter dictation ended decades ago, and I don’t have time to retype an entire draft. Cutting and pasting on that blank template above saves a pile of time. Avoid fancy fonts; work this on the WordPress draft if you want them.
To this day, I still get articles inside the body of an email or formatted in a weird font that I must reformat. As a result, I transfer all summitted articles to a separate Word document by copying text, using “Paste Special – Unformatted Text” to remove hidden formatting problems that don’t translate well on WordPress, followed by changing the pasted text to NTR 12. Even then, I frequently have to use WordPress’ “Clear Formatting” Button (little eraser symbol) on pasted text.
Patrick Goth – Unsplash
A useable headshot for profile or interview, not a thumbprint taken from google images, or blurry selfie shot. There won’t be enough pixels. Do not include the photo inside the Word document; which requires screen-printing to clipboard, then opening a photo program to access pic for saving as a jpeg, only to get a photo the size of a postage stamp. Most professional agents and authors will provide a media kit upon request. The upside with WordPress, if the photo is too large, it’s easily reduced in the body of the draft.
Marco Djallo – Unsplash
Editing isn’t supposed to be in the job description, but it ends up as one. Minor faux pas for punctuation and a missing word happens to everyone, but I’ve had to practically retype some submissions. There’s a lot more to it than typesetting. When I write an article for someone else, I treat it as if I’m submitting to an agent. I mean – we’re supposed to be writers.
Include social media and website links if doing a presenter profile or interview. The most time-consuming chore with posting someone else’s work (aside from chasing down useable photos), is searching the net for said links. Why is this important? It’s a common courtesy in a profile piece, and the more links we have inside the article, the greater the SEO search linkages the article will have, which leads to greater exposure. The pros know this.
Get article author’s bio and headshot. The point of volunteering to submit an article is exposure for the author. “Written by Such-n-such” is about as invisible as the dialogue tag – “said”. If article author hasn’t created a bio, this is the time to draft one. Call me old-fashioned for thinking readers want to see a human face, I tend to reject avatars. It might be acceptable with Twitter and Instagram, but if an article author wishes to remain anonymous, so be it. Unicorns and cute pugs are not writers.
Leio Mclaren – Unsplash
Article should include author’s social media links as well. I remember asking one article author if they had any social media links included in their bio, who answered with “I don’t use social media.” I almost followed up with “how does anyone know you exist as an author”, but sighed – que sera sera, and quit asking.
Pay attention to tags and keywords. For the conference, every article should be tagged with: Writing, Writing Conferences, Writing Craft. If the article is a profile or interview, add tags to identify the skill set, like ‘Author Voice’, Query Letters’, or ‘Staging Fight Scenes’. If an author of YA fantasy, tags should include YA and Fantasy. If the profile is about a publisher or book coach, include the publisher’s agency name, ‘Marketing’, ‘Self-Publishing’, ‘Indie-Publishing’, etc. It helps fine tune SEO search engines, so browsers looking for book writing tips don’t end up with suggestions on how much to tip.
Share the article on other Social Media accounts. If the group doesn’t have a Facebook Page, get one (sorry, didn’t mean to shout). To paraphrase the words of a NYT bestselling author who spoke at a past conference, blogs exist in a ‘tsunami of content’. To break out of the isolated bubble of a few group members and family friends who might read it, group postings need a social media sprinkler to let others aware the group exists. We’ve found contacting and liking other writer groups and interested parties pays big dividends. Fellow group members who participate in social media should also help broadcast the news. Ask any RWA Chapter Group; many of them have the best communicative share net on the planet.
From: imfunny.net
When posting the article link, Facebook automatically pops the first paragraph and the picture embedded in the article. It may appear to save time, but what often happens is the photograph displayed may not be the article header pic (if article contains more than one photo). Even if it is, the photograph won’t paste to Facebook Photobook. Took me a few iterations to discover the best course of action is to type in the article title, followed by pasting the article link, then physically attaching the article picture from file. Sounds convoluted, but the article graphic becomes a permanent record on the Facebook page, and it won’t be a cat selfie.
And if You’re Still a Gluten for Punishment …
Vance Osterhout – Unsplash
Our group page goes into hibernation after conference activity ends, until the next cycle begins six months later. I’ve been taught that leaving an active website unattended for long periods of time, can undo all the connections gathered. Personally, I don’t blog often, but I try to be regular. As if I wasn’t having enough fun with the group site, I suggested the platform was available to membership during the off months to:
Announce a new book, short story, or article that appeared in a magazine
Offer a poem, or short story for others to read.
Allow other writerly folk who have something to share with the group
Invite blog sharing from other sites. We’ll post your article, you post ours.
Share your writer’s journey.
Share a valuable lesson learned that may help others
Share successes. Share disappointments. We’re all in this together.
The list is endless.
The submissions for off-season, unfortunately – haven’t been.
A Side Note on Other Blogging Platforms
Markus Spiske – Unsplash
I’m a diehard WordPress user, because I’m too lazy to relearn another platform. But if you’re interested in what’s available, check out The 10 Best Free Blogging Platforms in 2018! (Pros & Cons). What you’ll find is – free gets you in the game, but it’s going to cost a bit more for any kind of customization.
I still run across writers and authors who feel the need to have someone design a custom blog website to be unique. If you want a primer for how much this stuff costs, read How Much Does a Website Design or Redesign Cost? [2019 Guide] for a hefty dose of sticker shock.
From: digitalsynopsis.com
I’ve lost count of those who claim to have a brother, cousin, uncle-of-a-neighbor who has some chops in programing. I’m all for unique, but if it’s a group site, the major issue is what happens if the programmer/administrator gets hit by the proverbial bus? Time and time again I’ve seen website “owners” disappear, leaving the hapless writer stuck with an HTML intensive site without an instruction manual.
I’m sure I missed a few things, but I think I’ve confused you enough. If you remember anything, stick with simple. You’ll be glad you did.
This ghost-in-the-shell thing is hard enough as it is.
May You Blog Well and Prosper
**********
By the way, we still have openings for the GLVWG Write Stuff Conference™, March 21 – 23, 2019. Check out the amazing line up of speakers and get an opportunity to pitch your book to agents and editors.
You can learn all about the presenters on the GLVWG WordPress Blog.
A lot of work went into those articles. Throw us bone will ya, and give us a like.
Ghost in the Shell – Group Blogging for Fun and High Blood Pressure Managing a blog page for a group or organization can be fun and rewarding – a phrase that should immediately toggle the cautionary button.
1 note
·
View note
Text
Which Is The Best WordPress Hosting? 7 Hosts
Choosing the best WordPress hosting for your site is critical.
And the most important thing you need to consider is…
How fast it is!
Why?
Because if your website loads slowly, you will suffer from-
Lower search engine rankings
Higher bounce rates
Lower page view numbers
Lower conversion rates
And last but not least…
A SLOW WEBSITE = LOWER PROFITS!
Your websites speed is critical to the bottom line of your business.
And all of that starts by making sure you choose the best WordPress hosting for you.
PRO TIP: With WordPress hosting- “best” does not mean “most expensive”
Keep reading and you’ll understand exactly what I mean…
Because the tests below will help you save $1,080 this year.
Which Is The Best WordPress Hosting?
Choosing the best WordPress hosting is easy.
You want to make sure that the host you choose-
Is super fast on the front and back end
Loads your website quickly globally
Takes security seriously (automatic backups & SSL)
Offers great support
Provides value for money
The problem is, that is much easier said than done.
So to find out who really offers the best WordPress hosting…
I setup 18 test blogs across 7 popular managed WordPress hosting providers.
And then I ran 6 tests across each of those 18 blogs-
Speed of loading from different locations around the world
Ability to cope with a plugin-heavy WP blog
Ability to handle a heavy simultaneous traffic load
How each hosts hardware benchmarks
Support speed & quality
Value for money (very surprising result!)
Note: I chose the cheapest plan with multiple sites. Cheaper plans are available.
Kinsta – Who are the current host of this blog
Cost: 2 websites, $60 monthly, $600 annually
CDN: Yes – KeyCDN included
WPX Hosting – The previous host of this blog before Kinsta
Cost: 5 websites, $24.99 monthly, $249.99 annually
CDN: Yes – WPX Cloud included
WP Engine – My host before WPX Hosting (it wasn’t great)
Cost: 5 websites, $115 monthly, $1150 annually
CDN: Yes – MaxCDN>Stackpath included
SiteGround – Specifically their managed WordPress hosting option
Cost: unlimited website, normally $19.95 monthly, $239.40 annually
CDN: No – Free CloudFlare recommended
Hostgator – The managed WordPress Hosting package
Cost: 3 websites, $27.95 monthly, $335.40 annually
CDN: No – Free CloudFlare recommended
Liquid Web – Again, their managed WordPress hosting offering
Cost: 10 websites, $99 monthly, $1,188 annually
CDN: No – Free CloudFlare recommended
Amazon EC2 – Not a managed WordPress host, but a DIY wildcard alternative
Cost: Unlimited websites, $14.99 monthly, $179.88 annually
CDN: No – Free CloudFlare recommended
So with WPEngine & LiquidWeb being the most expensive of all of them by a long way.
You would expect them to be the clear winners…
Right?
WRONG!
Not even close.
How I Tested WordPress Hosting Speed
I setup a total of 18 test sites across each of the 7 hosts.
Hosts that included a CDN as part of their package had 2 sites installed on them (WPXHosting, Kinsta & WP Engine).
Hosts that ask you to use a free CDN like CloudFlare had 3 sites installed on them (Siteground, Hostgator, Amazon EC2 & LiquidWeb).
All of the sites are hosted in the USA.
Then I created 3 different types of blog on 1 host and cloned that across each host using this plugin–
Blog Type #1 Image Heavy
Cronus Theme 11 photos 2,000 words
Blog Type #2 Plugin Heavy
Cronus Theme 30 plugins No text/images
Blog Type #3 CloudFlare
Blog Type #1 Plus Free CloudFlare CDN
And to help make things a little easier for you…
You can see the live versions of all of test blogs below-
Siteground
HostGator
LiquidWeb
Amazon EC2
WPX Hosting
Kinsta
WP Engine
Feel free to click through to any of them and run your own tests!
But if you’re too lazy to do that…
Here are the results of my 6 tests-
Test #1 – Image Heavy Site Loading Speed
In this test:
I took the Blog Type 1 (image heavy) install for each host and ran it through GTMetrix twice.
Often a sites content is cached on the hosting server and CDN.
So I ran 2 passes of GTMetrix to make sure all caches were primed.
Then I tested each site from 7 global locations and averaged out the results.
This is what it looks like-
USA
Canada
UK
Australia
China
Brazil
India
Tested From Vancouver, Canada.
Tested From London, United Kingdom.
Tested From Sydney, Australia.
Tested From Hong Kong, China.
Tested From Sao Paulo, Brazil.
Tested From Mumbai, India.
Test #1 Conclusions
But it’s fair to say that all of the hosts performed within acceptable levels in Canada and North America (except for Amazon EC2).
It’s only when you start taking a global look at things do you see dramatic differences in the load times.
But having globally fast loading times is critical in the modern economy.
Test #2 – Plugin Heavy Site Loading Speed
A plugin heavy site can cause huge problems when it comes to load times.
And it’s easy to get carried away!
This blog has 56 active plugins at the time of writing-
And plugins can have such a big impact on load time…
WP Engine maintains a list of plugins that are banned on their platform.
So for the Blog Type 2 (plugin heavy) installs, I installed 30 popular plugins with no other content whatsoever.
Thrive Architect
Yoast SEO
Smushit
Contact Form 7
All In One Schema
WooCommerce
TinyMCE Advanced
Really Simple SSL
MailChimp for WordPress
Insert Headers and Footers
Redirection
WP Statistics
AMP for WordPress
Google Analyticator
WP Sitemap Page
Login LockDown
WP-Polls
WP Google Fonts
Cookie Notice for GDPR
Social Media Share Buttons & Icons
Quiz & Survey Master
PDF Embedder
WP Project Manager
ManageWP Worker
Code Snippets
Tablepress
PrettyLinks
bbPress
WordPress Download Manager
Business Directory Plugin
This test is different because we are testing the computing power of the host, rather than the speed of delivering static image files.
Then I tested each plugin heavy install from 7 global locations & averaged out the results-
USA
Canada
UK
Australia
China
Brazil
India
Tested From Vancouver, Canada.
Tested From London, United Kingdom.
Tested From Sydney, Australia.
Tested From Hong Kong, China.
Tested From Sao Paulo, Brazil.
Tested From Mumbai, India.
Test #2 Conclusions
Like the first test, WPX Hosting is the winner here.
Although it is a marginal win over WP Engine.
It’s worth bearing in mind that the tested page had absolutely zero content.
And the slower hosts seem to have started choking with the higher number of requests.
Test #3 – WordPress Performance Tester Benchmarks
The WordPress Performance Tester plugin is specifically designed to stress test WordPress hosting servers.
It does that by running a number of tests-
Math – 100,000 math function tests
String Manipulation – 100,000 string manipulation tests
Loops – 1,000,000 loop iterations
Conditionals – 1,000,000 conditional logic checks
MySql – basic mysql functions and 1,000,000 ENCODE() iterations
$wpdb – 250 insert, select, update and delete operations
And then outputs 2 performance metrics-
Execution Time – how long it took to do all of those tests (lower is better)
Queries Per Second – how many queries per second processed (higher is better)
I ran each of the Blog Type 1 (image heavy) installs for each host through the plugin.
And these were the results…
Test #3 Conclusion
As you can see 2x of the more budget friendly hosts WPX Hosting & Siteground performed incredibly well here.
But interestingly:
The more expensive hosts like Kinsta, LiquidWeb and WP Engine failed to perform.
That is the exact opposite of what I would expect to happen…
You would think those extra $$$ translate into better hosting hardware and setups!
But the data is telling a different story.
Test #4 – Load Impact
Next I wanted to know:
How would each host perform under stress from 500 simultaneous visitors?
However I had a huge problem:
Most hosts automatically block tests like this because it reseambles a DDOS attack.
But it was critical that I conducted anonymous testing because I didn’t want the hosts to know I was testing them.
So I created a new page on each Blog Type 1 (image heavy) install with 1,000 words-
Then I set Load Impact to work by sending 500 simulated visitors to load each page on each host.
This is how it played out-
Host Maximum Page Load Time (lower is better) Maximum Requests Handled (higher is better) Test Result WPX Hosting 0.371 seconds 3,370 View Result Liquid Web 2.56 seconds 599 View Result WP Engine 3.57 seconds 2,430 View Result Amazon EC2 10.1 seconds 305 View Result
Test #4 Conclusion
From the tests I was able to complete-
WPX Hosting was the hands down winner here – it wasn’t even close.
And although WPEngine, Amazon and LiquidWeb were slower…
They did not collapse under the testing and remained online.
As for the other hosts I had problems testing with-
Kinsta – LoadImpact was reporting a problem with overloaded Amazon VPS’s
SiteGround – Either the hosting failed or they automatically blocked LoadImpact
HostGator – Fell down during testing , the site went offline with a 503 error
And while I would have loved to get a result for them…
It would have brought attention to my testing & I wanted to test anonymously.
Perhaps in the future I will be able to run this test again for the missing hosts.
Test #5 – Hosting Support
Speed of your website is one thing.
But speed (and quality) of support is another.
And given that the tested hosts are self proclaimed “WordPress Experts”…
I wanted to put that to the test.
So I opened an identical support ticket with each host to see-
How long it took to respond
If they would fix the problem for me
Here is the support ticket I sent to each host-
Hi Support,
I am not a very technical person and need help with the setup of this redirect on my site hosted with you thanks:
hostingtest2.space – all pages except hostingtest2.space/wp-admin
to redirect to
hostingtest2.space
Thanks in advance.
Matt
It’s not a super easy problem to fix…
But it’s not super difficult either.
Any WordPress expert should be able to tackle it.
In my opinion the easiest way to solve this problem is with a .htaccess edit like this-
RewriteEngine On RewriteCond %{REQUEST_URI} !^(/wp-admin|.wp-login.php.) [NC] RewriteRule (.*) http:/hostingtest3.space//$1 [R=301,L]
But:
There is always more than one way to skin a cat!
Test #5 Conclusion
As expected – the test results varied wildly here.
Some hosts took full control and deployed a solution on my behalf…
Where as others… didn’t.
Here is how they performed-
WPEngine
Siteground
Liquidweb
Hostgator
WPXHosting
Kinsta
Amazon
WP Engine
There was 14 minute delay on live chat support initially-
And ultimately…
They said it wasn’t possible to do-
Eric Roiz: This unfortunately wouldn’t be something that can work with a WordPress setup. With the way that WordPress loads out it’s content that wouldn’t be able to work
Matthew Woodward: Can it be done in the htaccess file?
Eric Roiz: No, it’s not a matter or being able to redirect or not, but rather that the way the sites individually load their content, that wouldn’t be able to work
Matthew Woodward: OK Eric, I appreciate you trying. Thanks and have a good day there.
It wasn’t that the WP Engine Support Agent didn’t necessarily want to do it for me.
But he certainly didn’t know how to do it.
Siteground
Live chat response was pretty fast!
But the support team wasn’t willing to apply the change for me and wanted me to read an article and use their tool myself:
Martin T.: Sure, we do have a tool just for that and an article dedicated to it as well: https://ift.tt/1qT7ma2
Matthew Woodward: I always s**** up things like this and would greatly appreciate you doing it for me thanks.
Martin T.: I would be able to assist you if you’re facing any difficulties, but don’t worry it’s really easy and you can’t really mess anything up 🙂
Matthew Woodward: I always find a way!
Matthew Woodward: And it will take me along time to go through the article and understand the exact steps.
Martin T.: It’s ok
Martin T.: Believe me it’s really easy and you can’t mess anything up as the redirects can always be removed 🙂
Matthew Woodward: I guess it’s not your policy to do stuff like that. It’s OK I understand.
Martin T.: As customer support representative we’re here to help whenever you’re facing any difficulties, of course, I would love to assist you with any difficulties that might come up when trying to manage your account with us 🙂
Matthew Woodward: Sure Martin, I appreciate that and have a good day there. Bye for now.
I did take comfort in the fact that if I applied the changes myself and messed them up, that the SiteGround support team would help me out if I did mess it up.
Liquid Web
Accessing live chat was very fast and the support agency was willing to help.
Although he stated that it wasn’t their normal policy-
“that is out of the scope of our support. normally that would fall under your responsibility. but as a courtesy i can attempt that. just keep in mind that we don’t normally do this.”
And as Liquid Web are one of the more expensive hosts, I was pleased to see them take control of requests like this.
Hostgator
Hostgators live chat response was very fast.
However:
Their solution failed when tested and the subsequent workaround seemed much more complex-
While it was overly complex, they did demonstrate that why were willing to take control of requests rather than palming them off on support documents.
WPX Hosting
WPX Hosting were the most impressive of the bunch.
Not only did they answer almost immediately but they also completed the request for me in about 10 minutes-
Luchezar: I have set the redirection as requested, can you please test on your end and see if it’s working?
Please clear your browser’s cache. Just press CTRL + F5 or use Incognito Mode (CTRL + SHIFT + N) for Chrome and (CTRL + SHIFT + P) for Firefox.
For reference, please check this article: https://wpxhosting.c…er-cache-chrome-firefox-edge-/
Matthew: Sure, one moment. Yes that works. Thank you and have a good day there. Bye for now.
You can’t ask for a better customer experience than that!
Kinsta
Kinsta (my current host) have always offered great, responsive support that takes control of issues.
They responded quickly to the live chat, but it seemed this issue stumped them – even though I have challenged them with much more complex issues in the past.
The Kinsta agent spent a very long time (2 hours+) trying to fix it but couldn’t get it working fully-
But they were committed to the resolution and prepared to invest significant time to help.
Amazon
Amazon is not a managed service like the other hosts here and is strictly do it yourself
I know from past experience that you have to submit a ticket/email and they reply within 24 hours typically.
However, if their hardware is working- they expect the user to do everything in terms of configuration and software so their service wasn’t relevant for this test.
And out of those 3-
It was WPXhosting that solved the problem the quickest and with minimum fuss.
However:
WPEngine & SiteGround seriously fell short here
Their “WordPress experts” were not able to solve the problem.
Test #6 – The Free CloudFlare CDN
4x of the hosts I tested did not include any kind of CDN-
SiteGround
LiquidWeb
HostGator
Amazon EC2
And it is common advice for hosting companies to recommend you setup the free version of the CloudFlare CDN.
Supposedly this will help increase site speed.
But is that really true?
To find out I cloned the Blog Type 1 (image heavy) install to a new domain on each host and then activated the free CloudFlare CDN-
Then I tested each of these installs with GTMetrix from 7 different global locations.
And the results were very interesting…
WordPress Hosting Features Compared
So far we have focused purely on speed, reliabiliy and support.
But what about other hosting features…
As you can see:
There really isn’t that much difference between them on the face of it…
Except for price!
It’s only with the nitty gritty testing that you see huge differences in quality of service.
The Worst Things About Each Host
Regardless of which host you look at, each of them have their own cons.
The best wordpress hosting for me, isn’t necessarily the best WordPress hosting for you.
For example:
WPX Hosting is clearly the fastest, but if you need phone support…
They aren’t right for you.
So here is what I didn’t like about each of the managed WordPress hosting options-
WP Engine
WPX Hosting
No phone support
No Git support
Servers are only available in USA and UK
Back end control panel could be easier to use
Hostgator
Terrible trust score
No CDN on base plan
No free SSLs, only paid
No staging area
Long list of banned plugins
Automatic backups are a paid upgrade
Terrible loading speed from non-US locations (see above tests)
Liquid Web
Very expensive
Not exactly the quickest based on my testing
No CDN on base plan (but free Cloudflare CDN worked best of tested hosts here)
No free email, costs $10 monthly extra + $1-$3 per email address
No discounts for annual subscription
Kinsta
No phone support
Expensive for multiple websites
No email support – additional costs with Google Apps etc
List of banned plugins
No live chat for pre-sales questions
No free migration on the base plan
SiteGround
Pricing virtually triples in year 2
No staging area on base plan
After first month, no monthly payment option
No real CDN on base plan (free Cloudflare doesn’t count)
Amazon
Not really a WordPress host
You need to configure everything
Very technical, requires command line
No CDN
No automatic backups
Support is for their hardware only
No cost saving reason to choose Amazon over dedicated WP hosts
Wrapping It Up
While it is usually true that “you get what you pay for” in life..
That isn’t true when it comes to choosing the best wordpress hosting.
WP Engine ($115/mo) & Liquid Web ($99/mo) are the most expensive but also failed to perform.
HostGator were also consistently poor.
That leaves SiteGround, Kinsta and WPX Hosting to consider.
Kinsta and WPX Hosting performed consistently faster than Siteground.
But Siteground did hold steady throughout all of my testing.
I suspect if you added a quality CDN to SiteGround rather than the free CloudFlare suggestion they would perform much better.
But that’s an extra cost and Kinsta & WPX Hosting already include good CDNs for free.
So if I was going to rank them…
The Best WordPress Hosting Is…
WPX Hosting – Cheap but also the fastest with the best support
Kinsta – Solid performance, fantastic support & the current host of this blog
SiteGround – Budget friendly and fast but support was lacking
The great irony of these results is that…
WPX Hosting used to host this blog (I famously ditched WPEngine for them).
Then 2 years ago…
I moved the blogs hosting over to Kinsta because I needed-
A server level backup/restore system
A staging area
Access to new technologies like HHVM (which is now deceased)
But:
Since I moved this blog to Kinsta…
The WPX Hosting team have added a bunch of new features such as-
Their own backup/restore system
A staging area
A free custom CDN called “WPX Cloud”
In fact I still have 9 sites hosted with WPX Hosting including my SEO agency site and my black friday deals site (neither of which have WPX Cloud activated right now).
Where as Kinsta are currently hosting this blog and my SEO course.
But as they say:
The proof is in the pudding.
And based on all of my testing and personal experiences…
The best WordPress hosting is WPX Hosting (assuming you don’t need phone support)
And remember this:
A faster website will result in-
Higher search engine rankings
Lower bounce rates
Higher page view numbers
Higher conversion rates
And most importantly…
HIGHER PROFITS!
So don’t waste your time and money with a slower host.
Who do you think the best WordPress host is right now?
I would love to know!
window.fbAsyncInitPredefined = window.fbAsyncInit; window.fbAsyncInit = function() { window.FB.init({ appId: 608450559206894, status: true, cookie: true, xfbml: true, version: 'v2.4' }); window.FB.init = function(){}; window.fbAsyncInitPredefined && window.fbAsyncInitPredefined(); }; (function(d, s, id) { var js, fjs = d.getElementsByTagName(s)[0]; if (d.getElementById(id)) return; js = d.createElement(s); js.id = id; js.src = "http://connect.facebook.net/en_US/sdk.js?"; fjs.parentNode.insertBefore(js, fjs); }(document, 'script', 'facebook-jssdk')); Source link
0 notes