You don’t need to change all your passwords

This is probably going to be a wildly unpopular opinion and IDGAF. So many of my non-technical friends are freaking out that I feel the need to provide a bit of reassurance/reality.

First, an analogy.

In 2005 we learned that you can open a Kryptonite U-lock with a ballpoint pen. Everyone freaked out and changed their bike locks ASAP. Remember that?

Now, I wasn’t riding a bike at the time, but I started riding a bike a few years later in San Francisco, and I know how widespread bike theft is there. I used multiple levels of protection for my bike: a good lock, fancy locking posts on the seat and handlebars, and I parked my bike somewhere secure (work, home) about 90% of the time and only locked it up in public for short periods. Everywhere I went I saw sad, dismembered bike frames hanging forlornly from railings, reminding me of the danger. Those were paranoid times, and if I’d been riding in SF in 2005 you can bet I would have been first in line to replace my U-lock.

These days I live in Ballarat, a country town in Victoria, Australia. Few people ride bikes here and even fewer steal them. I happily leave my bike unlocked on friends’ front porches, dump it under a tree while I watch birds on the lake, lean it against the front of a shop just locked to itself while I grab a coffee, or park it outside divey music venues while I attend gigs late at night. I have approximately zero expectation of anything happening to it. If I heard that my bike lock had been compromised, I wouldn’t be in too desperate a hurry to change it.

Here’s the thing: if you are an ordinary Jane or Joe living the Internet equivalent of my cycling life in Ballarat, you don’t need to freak out about this thing.

Here are some websites I use where I’m not going to bother changing my password:

  • The place where I save interesting recipes
  • The one I go to to look at gifs of people in bands
  • That guitar forum
  • The one with the cool jewelry
  • The wiki I edit occasionally
  • The social network I only signed up for out of a sense of obligation but never use

Why? Because a) probably nobody’s going to bother trying to steal the passwords from there, and b) even if they did, so what?

This Heartbleed bug effectively reduces the privacy of an SSL-protected site (one whose URL starts with https://, which will probably show a lock in your browser’s address bar) to that of one without. Would you login to a site without SSL? Do you even know if the site uses SSL? If you’d login to your pet/recipe/knitting/music site anyway — if you’d do it from a coffee shop or airport — if you’d do it from a laptop or tablet or phone doesn’t have a strong password on it — if you don’t use two-factor authentication or don’t know what that means — then basically this won’t matter to you.

(I’m not saying it shouldn’t matter. You should probably set strong passwords and use VPNs and two-factor authentication. Just like you should probably lock your bike up everywhere you go, floss, and get your pap smears on the regular. Right? Right? *crickets*)

So if you’re a regular Jane — not working in IT security, not keeping state secrets, etc — here’s where you really need to change your passwords:

  • Any site you use to login to other sites (eg. Google, Facebook)
  • Any site that gives access to a good chunk of your money with just your password (eg. your bank, PayPal, Amazon)

(To do this: use this site to check if the site in question is affected, then if it’s “all clear” change your password. Don’t bother changing your password on a still-affected site, as that defeats the purpose. Oh, and you should probably change your passwords on those sites semi-regularly anyway, like maybe when you change the batteries in your smoke alarm. Which I just realised I should have done the other day and didn’t. Which tells you everything, really.)

Beyond those couple of key websites, you need to do a little risk assessment. Ask yourself questions like:

  • Has anyone ever heard of this site? Does anyone care? Is it likely to be a target of ominous dudes in balaclavas?
  • If I lost my login to this site, or someone could snoop what I had on that account, what is the worst that could happen?

If your answer is “I’d lose my job” or “I absolutely cannot survive without my extensive collection of Bucky/Steve fanart” then by all means change your password.

If your answer is “Eh, I’d sign up for a new one” or “Wait, even I’d forgotten that site existed” then you can probably stop freaking out quite so much.

DISCLAIMER: I am not an Internet security expert, just a moderately well-informed techhead. Some people, including better-informed ones, will disagree with me. You take this advice at your own risk. La la la what the fuck ever, you’ll most likely be fine.

Seeking a volunteer for 3000 Acres (Melbourne, Australia)

As you might know, I’ve been working on 3000 Acres over the last few months. My time there is almost up and they’re looking for volunteers to continue developing the site. If anyone in the Melbourne area is interested in working with me on this, and then taking it over, please get in touch! It would be a great way to get involved in a tech project for sustainability/social good, and the 3000 Acres team are lovely people with a great vision. Feel free to drop me an email or ping me via whatever other means is convenient, and please help us get the word out.

3000 Acres connects people with vacant land to help them start community gardens. In 2013 3000 Acres was the winner of the VicHealth Seed Challenge, and is supported by VicHealth and The Australian Centre for Social Innnovation (TACSI) along with a range of partners from the sustainability, horticulture, and urban planning fields. We are in the process of incorporating as a non-profit.

Our website, which is the main way people interact with us, launched in February 2014. The site helps people map vacant lots, connect with other community members, and find community garden resources. Since our launch we have continued to improve and add features to our site.

So far, our web development has been done by one part-time developer. We are looking for another (or multiple) volunteer developers to help us continue to improve the site, and to help make our code ready to roll out to other cities.

We’re looking for someone with the following skills and experience:

  • Intermediate level Rails experience (or less Rails experience but strong backend web experience in general). You should be comfortable using an MVC framework, designing data structures, coding complex features, etc.
  • Comfort with CSS and Javascript (we mostly use Bootstrap 3.0 and Leaflet.js) and with light design work (eg. layout, icons)
  • Familiarity with agile software development, including iteration planning, test driven development, continuous integration, etc.
  • Strong communication skills: you’ll particularly use them for writing web copy, advising on information architecture, and project management.
  • You should be in Melbourne or able to travel regularly to Melbourne to meet with us. Phone, Skype, and screen sharing may also be used — our current developer is based in Ballarat.

We welcome applications from people of diverse backgrounds, and are flexible in our requirements; if you think you have skills that would work, even if they don’t match the above description exactly, please get in touch.

We envision this role being around 8 hours a week ongoing (somewhat flexible, and mostly from your own location). Initially you will work closely with our current developer, who can provide in-depth training/mentoring and documentation on our existing infrastructure and processes. Over the next 3 months you will become increasingly independent, after which time you will be expected to be able to create and maintain high-quality code without close technical supervision.

For more information you can check out:

If you’re interested in working with us, please drop Alex an email at No resume required — just let us know a bit about yourself, your experience, and why you want to work with us. If you can show us an example of some relevant work you’ve done in the past, that would be fantastic.

Post offices in the US: a guide for Australians

This holiday season I’ve had a few Australian friends travelling in the US, and something I’ve seen repeatedly on Twitter is, basically, this:

So, here is a guide for US post offices, aimed at Australians. I’m qualified to write this because I had exactly this experience when I moved there. It went something like this.

Me, to office manager: “Hey, where’s the nearest post office?”

Office manager: “Uh… I think there might be one at [distant location]. Or you could take the bus to [other distant location] I guess.”

Me: “Isn’t there one closer? Like, walking distances? This is a busy urban area, after all!”

Office manager: *puzzled look* “No, you have to take the bus…”

Me: *boggled*

Then I caught a bus out to some forsaken quasi-industrial wasteland and found a grey-painted bunker with a USPS logo on it, where one poor worker stood behind a screen and a queue of dejected people lined up to collect or mail parcels.

A sad change from the Australia Post outlets I’m used to, which are in convenient retail locations no more than a few minutes’ walk away, have bright decor, and try and sell you things like calendars and gifts and travel whatsits and office supplies and generally are quite upbeat. Not to mention fairly quick service — I was in and out of my local one in 5 minutes, right before Christmas.


Australia Post retail outlet at Sydney international airport

Australia Post retail outlet at Sydney international airport


US post office, location unknown.

And let’s talk about how many post offices there are. Each map, showing search results for “post office near…”, shows approximately the same area — they were all taken at the same zoom level on Google Maps.

Here’s where I used to live, in one of the most densely populated urban areas in the US:

Map showing post offices in San Francisco

San Francisco, population density 17,160 people per square mile (6,632/km2)

Here’s where I currently live, in a country town in Australia:

map showing ballarat post offices

Ballarat, population density 1,957.5 people per square mile (755.8/km2)

Here’s what most Australians, living in capital cities, would be used to:

Map showing Melbourne post offices

Melbourne, 4,058 people per square mile (1,567/km2)

In case you can’t make it out, every small dot on that map is a post office, too, albeit sometimes a licensed Australia Post outlet combined with another business; Google only puts full sized pins for a few of them.

Actually, I fudged the search a little bit, and when I explain why you’ll understand something about the US postal system. See, when I searched for “post office near san francisco” I got lots of small dots, too, which made it look like there were lots of post offices. But when I dug deeper it turned out that most of them weren’t actually post offices, but were “mailing offices” or UPS or other courier shops, or other retail outlets that just sold stamps. I had to specify “USPS post office near san francisco” to get the actual official ones, and I’m still not sure it’s accurate; the USPS locator gives me 34 hits for within 5 miles of 94105 (the zipcode of where I used to work in SF), some of which don’t seem to show up on Google Maps — but note that this is a larger area than is shown on the map above, and that Melbourne still has far more, despite 1/4 the population density.

However, the proliferation of non-post-office hits on the Google map is the key to understanding why Australians get confused when trying to find a post office in America. The point is: most of the services an Australian thinks you’d get at a post office — buying stamps, sending mail, packaging parcels, etc — happens elsewhere. You simply don’t need to go to a post office except in extraordinary circumstances. At least, not if you’re affluent and have good Internet and technology at hand; like so many crappy, underfunded, inconvenient US government services, people buy their way out of using them if they can.

So, here’s the actual advice for Australian travellers looking for a post office in the US.

  1. First things first: don’t ask, “Where can I find a post office?” Ask what you really want: “How can I mail this thing?” The answer is generally not “at the post office”, but some other way.
  2. Buying stamps: in San Francisco, buy them at Walgreens. I’m not sure how widespread Walgreens are, but wherever you are, some major retail chain probably stocks stamps at the counter, and will be more accessible, open longer hours, and easier to find than a post office.
  3. Finding out how much it costs to mail a letter overseas: — don’t rely on Walgreens staff to know this, but do your research ahead and just ask them for the monetary value you need.
  4. Sending letters: mailboxes are painted dark blue and are low-set compared to Australian or British ones, so they’re hard to spot on the street, and USPS’s website doesn’t have a locator. However, you can generally leave your mail at the front desk of anywhere where the post office would deliver mail, eg. the reception desk at an office, or the front desk of a hotel, and they’ll hand it to the mail carrier. (In some places, mail carriers pick up mail from residential mailboxes — that’s what those red flags are all about, which was always bewildering to me back when I used Eudora for email in the 1990s. If you’re staying somewhere with a mail flag on the box, you can leave mail in it, and raise the flag to tell the carrier to collect it.)
  5. Sending parcels: as above for letters, but you can do your own weighing and buy the postage online at You can print out a label and tape it to your parcel, which is valid postage, and you don’t have to visit a post office at all. Most hotels, offices, etc should have a scale you can borrow to weigh a parcel.
  6. Buying mailing materials (envelopes, boxes, bubble wrap): the same place you buy stamps, or an office supply store like Office Depot or Staples.
  7. Another option: in the US they rely much more heavily on courier services like UPS and FedEx. If you’re sending a parcel, it may work better to use them. Check their websites and you should be able to calculate shipping prices, print a label, and arrange a pickup. There are also retail outlets for these services, which will also sell packing materials and print the mailing label for you, and are generally easier to find and get to than an actual post office.
  8. If you’re trying to mail parcels internationally, you’ll probably have discovered how ridiculously expensive it is from the US (around $100 to send a small, 1kg package to Australia, for instance). So in fact, it’s probably cheaper to get an extra suitcase and pay excess baggage fees for your flight back. Sad but true.

So in short: ask “where can I buy stamps/packaging?” or “where can I mail this letter/parcel”, and the answer will be something other than a post office. Hope that helps!


I’ve been kind of rubbish about posting life updates over here, so I just thought I should make a note that I’m planning to move to Ballarat by the end of the year. Why? Well, my current housemates are going their separate ways and it was either find two new ones, or get a place by myself. Ballarat has cheap rent (not much more for a full house than it currently costs me for a room in a share house), fast internet, is only an hour or so from Melbourne by public transport (I expect to be back pretty regularly, maybe every week or two), and I can have a proper veggie garden.

For those not from around here: Ballarat is a small city of ~80,000 people near Melbourne, and was at the centre of the Victorian gold rush and also the site of the Eureka Rebellion of miners and others seeking reform (i.e. voting rights). In US terms it’s a “college town”, in that the local university is one of the biggest features. Although only the size of Boca Raton or Yuma it’s not as conservative as a similar-sized US city would be; it has a Labor (centre-left) member of parliament, a decent portion of Green voters, and workable public transit, albeit on a small scale. UK people may like to compare it in size to Chester, Durham, or Bath.

I lived in Ballarat for a semester in the 1990s, on an internship with Mars Confectionery, whose Asia-Pacific HQ is on the edge of town. I found it pleasant apart from the work — Windows 3.1 and Novell support, which involved a lot of crawling under desks and scraping chocolate off the inside of keyboards. I was one of the few civilians in town to have any Internet access, as I managed to beg a 2400 bps dialup off someone at the uni computer centre. At age 19, it was only my dialup connection and weekend trips to Melbourne that managed to offset the boredom of office colleagues talking about football and lawncare; 20 years later, I don’t have to work in an office, pretty much everyone torrents Game of Thrones, and though I don’t much care about lawns people usually find my veggie-garden talk less weird than my obsession with Linux and cyberpunk SF was back then.

To answer a FAQ: yes, Ballarat is colder by Melbourne by a couple of degrees. I’m pretty sure I’ll cope with it, since I lived 4 years in Canada. Bit of frost? Bring it!

To answer another FAQ: yes, I’ll be expecting friends to visit!

More detail to follow once I actually have a house and stuff.

Clicky web analytics: highly recommended

I know I’ve mentioned this before, but I just discovered they have an affiliate program and, well, that’s an excuse to mention it again.

I’ve been using Clicky for web analytics for Growstuff, and I’m delighted with them.

They are basically a drop-in replacement for Google analytics, but run by a company who care more about, you know, analytics than selling ads. Clicky gives me all I need in terms of pretty charts and reports, and I can see where Growstuff’s visitors are coming from and how they’re using the site. Pretty much what you’d expect.

I’ve also paid for a premium account, which gives me two features I really love: “Spy”, which shows me people’s activity in real time (and makes a delightful “DING!” in my browser when we get a new visitor, which can be quite noisy at times, though of course you can turn the sound off if you prefer), and a heatmap overlay for the website that shows where people are actually clicking on the page — great for seeing which parts of your site are getting the most attention.

On top of all that, they’re friendly and responsive and have been really helpful on Twitter when I’ve had questions for them.

Anyway, if you’re looking for an analytics system that’s not run by a kind-of-evil ad company, and you want to support independent software companies and not be a free user, give Clicky a shot. If you use this affiliate link and buy a premium account, it’ll help Growstuff out a little bit, too.

What is a spike?

There was some discussion on the Growstuff IRC channel last night, while I was asleep, about the term “spike”. I use it a bit on the Growstuff project but I don’t think everyone knows what I’m getting at, possibly because I picked it up by osmosis from the Extreme Programming community over a decade ago, and the term’s fallen out of favour since then. So here’s a quick definition as I use it:

  • A spike is experimental. It’s for writing something you’ve never written before, and don’t quite know how to start.
  • A spike is a learning exercise. The goal isn’t to write a new feature. The goal is to get enough knowledge to know that you can write that feature.
  • A spike is a conversation-starter. It moves abstract “maybe we could…” conversations into the concrete.
  • A spike may not follow coding standards. You don’t even know this thing is possible. It’s pretty hard to write tests first in that situation.
  • A spike is thrown away when you’re done. It gives you enough to say “okay, we know this is possible”, and then go and write it properly.

A couple of interviews

I’ve recently been interviewed by a couple of different blogs, and thought I should link them here:

  • The Ada Initiative blog interviewed me about Growstuff, pair programming, and social justice. They’re having a fundraising campaign to support their work with women in open technology and culture, by the way, and if you care about those things you should definitely donate.
  • Maciej from Pinboard interviewed me for the Pinboard blog, also about Growstuff, which (as you may recall) he funded to the tune of $37 back in January. It’s good to have such support from our investors ;)

Go, read!

Start your commit message with a verb

I’ve been pair programming with a lot of different people, with a variety of skill levels, on Growstuff over the last year. One thing I’ve noticed is that some people freeze up when it comes to writing a commit message. They type “git commit” and then sit there for a minute going “uhhhh”.

I understand this. It’s hard to convert maybe an hour’s hard work in code into a short sentence of English. How do you compress such complex ideas? How do you even make words, when your brain has been deep in code?

So here’s the tip I give to my pairing buddies who freeze up when it comes time to commit, and I offer it here for free: Start your commit message with a verb.


The rest usually comes easily. What did you add? What did you fix? What did you refactor? Grammatically, this is the direct object, and starting with a verb works as an effective prompt to figure out what it might be.

Sometimes you need an indirect object as well (“Added planting_count to crops”) or a reason (“Added planting_count to improve performance”) but really, if you can get a verb and a direct object, you’re most of the way there. And it’s certainly better than “WTF!?” or “yay bugfixes!” or “.”, all of which I’ve seen as commit messages.

You’re welcome.

(Of course, if you don’t freeze up when you have to write a commit message, then keep doing what works for you.)

Clicky Analytics with Mediawiki

This is one of those posts I’m making for the benefit of anyone who googles, wondering whether there’s a Mediawiki extension to integrate Clicky Analytics.

As of right now, there’s not, but there is a good explanation of how you can put some custom code in your LocalSettings.php to integrate any analytics stuff that you like.

Here’s a generic version that will work for any analytics system, hopefully cut-and-pasteable. It works fine on my Mediawiki install right now (version 1.20.x) but is not guaranteed for any future versions. Or, well, it’s not actually guaranteed for this one, now I think about it. Use it at your own risk, is what I’m saying.

Note that you have to paste the analytics code from your provider in around line 16.

Hope that helps.

As a side note: I’m very happy with Clicky, so if you’re looking for an alternative to Google Analytics, you might consider them. Yes, they cost money, but that’s a good thing. Don’t be a free user.

The problem with doing one thing well

You’ve probably heard the tech startup aphorism “do one thing well”, or a variant on it. “Don’t try to do too many things”. “Focus.” Whatever.

I’m not very good at following it, as is pretty apparent from what I’m working on. Growstuff has several things it’s trying to do (crops database, garden journal, seed sharing, community building), all interlinked.

Every so often someone points me at a website that does just one thing of the set of things we’re trying to do. For instance, the other day I got an email from a Transition Town contact, suggesting I look at RipeNearMe, which offers produce sharing/trading. If you’ve got extra lemons or zucchini or eggs, you can offer them for sale to people nearby. Great! The website looks fantastic, and they’re starting to get people listing stuff. (If you want to see some examples of what they’ve got available for trade, check this neighbourhood near me, which has a few things listed, though it’s sometimes slow to load.)

The Transition contact went on to say that maybe Growstuff should “join forces” with RipeNearMe, so as to avoid duplicating effort.

The problem is, we can’t. RipeNearMe doesn’t have any way for us to integrate with their data. There’s no API, and their terms of use are restrictive and prevent us from using their data in any way. (There’s also no open development community we could join, but that’s not what I’m discussing in this post.)

There are a lot of gardening sites out there that do one thing, often very well indeed: a Q&A forum, a seed swap site, a database of planting times, garden layout tools. But when we talked to people who used them, they said “I used this site for a while, and it was useful for that one thing, but I really wanted $other_thing as well.” Usually there is another site that offers the desired feature, but it doesn’t integrate with the first one. As a gardener, you need to use a dozen disparate sites, re-entering your garden data in each one, and having to check in on each of them regularly to keep them updated. It’s no wonder that so many gardening sites, flourishing at first, start to die down after a season. Before long you can see weeds growing everywhere.

That’s not to say that open data and APIs solve everything — I’ve written before about how importing data is hard — but without them it’s impossible to integrate anything.

I’m reminded of Anil Dash talking about the web we lost: heavily interlinked, easily syndicated, less silo-ed. I’m also reminded of the Unix philosophy and especially of pipelines. Unix commands “do one thing well” — sort a series of lines, count words, spit out the contents of a file — but they don’t work alone. You can chain them together to say things like “show me the wordcounts of all these files in descending order”, or express even more complex ideas, as if building a tower from blocks.

Now think of that in terms of gardening websites. How awesome would it be if you could say “take my garden layout from SmartGardener and import it into my to-do list on Growstuff, then cross-reference it with the planting dates on Gardenate and the weather feed from the Bureau of Meteorology, and tell me when to plant things. Then when I harvest the results, let me post my excess across to RipeNearMe and, heck, why not CraigsList too?”

That’s pretty unlikely to happen, but until it does, I feel pretty justified in not doing “just one thing” with Growstuff. “Just one thing” only works if you can integrate with other things. If you build one amazing feature and put a fence around it so nothing can get in or out, what’s the point?

A realisation about working for myself

One of the best things about leading my own project has been not having to pretend I’m some sort of shit hot programmer. It’s nice to be able to to say “argh, that’s too hard, fuck it” or “I have no idea how this works” without worrying about my performance review.

Of course, I also like to claim that I’m providing a visible example that it’s okay not to be perfect or know everything, to help make it less scary for our newer contributors. But mostly it just feels good to realise that the pressure’s off, I don’t have to pretend to be what I’m not, and I can learn and get shit done at my own pace.

Travels: SFO for the weekend, PDX for Open Source Bridge

Hey, I am massively disorganised this week, but I figured I should probably mention that I’m going to be travelling and would like to catch up with people.

Saturday 15th to Monday 17th June, I will be in San Francisco, mostly in the Castro/Mission/ish area. Social activities planned so far include:

  • Saturday afternoon: hanging out on Liz Henry’s patio in Bernal Heights, with laptops and snacks and generally socialising. Likely to be a hackerish/feminist crowd. If you know Liz and where she lives, just show up. If you don’t, then she says to email her and she’ll give you directions.
  • Saturday evening: drinks and foods at The Liberties, corner of Guerrero and 23rd. My old local. I believe that a space has been booked for a group in either the back or side room. Not sure what time this’ll go to, but just a warning that I’m not likely to make a very late night of it what with jetlag and stuff.
  • Sunday morning: brunch at Erica’s, and again, if you know her then you know the drill.

Sunday afternoon/evening are unscheduled, but I would expect that we’ll probably have some kind of dinner plans, so let me know if you’d like to be part of them.

Monday I’m hoping to have lunch with the Metaweb crew at Google (I’d better email them about that, huh?), meet up with some other folks (yipe, gotta email them too), and then off to PDX in the evening.

PDX: mostly I’m just gonna be at OSBridge. I’ll be keynoting Wednesday morning, and splitting my time between talks and the hack lounge. I think there has been talk of an outing to yarn and/or fabric stores at some point. Yes? Then, the weekend afterwards, some Growstuff folks are going to carpool and head out into the country to visit some farms and community gardens and stuff like that.

I would love to catch up with as many people as possible, so please, drop me a line if you’d like to have tea or burritos or go yarn shopping or whatever. See you soon!