Monday, September 9, 2013

Freelancer musings, zombie edition

What a long, strange eight months it's been since I last wrote in this space.  I've gained clients, lost clients, gone through personal things both good and bad.  Wow.

I first started this blog in an attempt to chronicle my journey from a dabbler to quasi-professional in the hope of helping anyone who faced similar frustration.  The funny thing is, along the way I've learned that there's no set definition for professional.  There's always more to learn, always things I can improve on.  I'm beginning to think that desire to go on the journey of self-improvement is itself professionalism, rather than any particular collection of skills or ability.

I've noticed, too, that my blog entries mirrored that transition.  They've become less about particular technical hangups and more about what it is to be a freelancer.  It's interesting to read through everything in one sitting and see the shift in perspective.

So, with that realization in place, I figure I should consciously shift gears.  While I'll still write about any technical problem or solution I feel warrants attention, I'm more interested in writing about what a freelancer should be, and how they should approach business.  I'm not an expert; The title of my blog is still more than accurate.  But I am a bit of an idealist, and I tend to have a good handle on what makes people tick.  I believe that if I/you/we can remember that we're dealing with people, with their own goals, limits, fears, etc., we can all come out ahead.

Like I've said before, respect and honesty are the cornerstones of any relationship.  That includes business relationships.  And I hope that any current or potential clients read this blog.  Not for my own sake, but so they can educate themselves on how to identify quality.


So, today's post deals with pricing, specifically whether one should set a price per page.  It was inspired by this thread on PHPFreaks, and you can see my immediate responses there.  Back in the old days - the late 90's/early 2000s - web designers often set their prices per page.  It wasn't uncommon to see something like, "$100/page, $500/site" back in those days.  And it worked for a while as most sites were just a collection of static HTML pages that didn't really do anything.  They just sat there and looked pretty.

With the modern web, that kind of pricing just isn't realistic any more.  For one, while users still view the web as a collection of pages, under the hood there's generally a lot going on.  Like pulling data from a database, or custom JavaScript that talks between the browser and server, and let's not forget those awesome custom graphics.  And even in the rare cases where it is literally just some HTML pages tied together, chances are there's a professional grade framework running things just below the surface.  Why?  Because clients like to add to and expand their sites, and the smart developer will have anticipated it.

For my money, price per page indicates that the person is either way behind the times, or they're a WordPress/theme installer.  The first option is one potential clients should avoid at all costs.  There's nothing wrong with the second possibility per se, but they're not really developers.

Like I've said in previous posts, a developer will do whatever custom work is required to get the job done, and communicate with their client and try to work out a pricing arrangement that makes both sides happy.  Creating a website should be a boutique experience for the client, one they're fully invested in emotionally so they can feel a sense of pride and ownership.

So, if you're not in a position to charge a lot for your services, don't.  But don't fall into the price per page trap.  It doesn't work.

Sunday, January 6, 2013

Musings of a freelancer

One of the topics that comes up a lot on the PHP Freaks forums is freelancing: how to find clients, how to market oneself, how much to charge per project, etc.  Having been a freelancer for a while, this is the nugget of wisdom I've discovered:

Freelancing is not about you.  It's about serving your clients.

A lot of the budding developers (and bitter, not-as-successful-as-they-want-to-be veterans) I encounter view freelancing as a means to an end.  A way to pad a portfolio, or to create their own shop, or to act as supplementary income.  And, certainly, those are worthwhile benefits to pursue.  But the best way to achieve those rewards is to put your client's happiness first, within reason.

This means being honest with your clients.  Don't promise what you can't deliver.  Instead, be honest about your abilities.  Many small business owners have been burned by bad developers who promised the moon and delivered a pebble, at great cost.  Don't be that developer.  Being honest, even if it means losing out on potential clients, leaves your reputation intact.  A freelancer's reputation is the most important thing they have, even beyond a good portfolio.  So, be honest at all times.

This means being in regular contact with your clients.  As frustrating and perhaps even capricious as some clients can be, you're working for them.  They need to be on board.  The more involved they are, the more they'll help you.  The last thing you want to do is treat the client like an adversary, or to hide away for weeks/months at a time while you work on their site.  No contact leads to frustration, which eventually leads to a broken relationship and no money.

This means being reasonable about pricing.  Sometimes clients simply can't afford a developer's rate, or some ancillary cost like hosting.  If you can, offer to lower your price, or cover the other associated costs, or accept a payment plan.  In many cases, taking on some (emphasis on some) of the financial burden now leads to the client paying you more in the future as they'll inevitably want to expand their site.


The point isn't to screw yourself over.  Rather, the point is to offer excellent service at a reasonable price.  A happy client is an ally.  If they're satisfied, they'll want to continue working with you.  Even better, satisfied people, as a rule, brag to their friends, families, and customers about good things.  If you are one of those good things, you'll get new clients.  Word of mouth advertising is still the best around, and having a client go to bat for you is invaluable.

So, if you're looking to freelance, go around town and offer your services.  Every town has at least one small business that wants a site or needs a complete rewrite of an existing site.  Treat that client well, and watch the cycle begin.

Wednesday, October 24, 2012

Catch-all post about solving setup issues with PhpStorm, Composer, and Symfony2

I had to do some preliminary work over the last week or so to create a workable PHP development environment before diving into some moderate-to-heavy work making a small e-commerce site.  I've had a VirtualBox install of Linux Mint 12 on my laptop for a while, but it was never setup quite the way it should've been.  So, I took the time to do it right.  Unfortunately, open source software tends to have shitty documentation, so in order to prevent others from making the same mistakes I did, I'm going to list my problems and my eventual solutions.


PhpStorm is an awesome PHP IDE from JetBrains.  .NET programmers will recognize JetBrains from Re-sharper (R#).  It's not quite as all-inclusive as, say, Visual Studio.  Unit Testing and debugging don't come installed as part of the software.  Instead, it's designed to integrate with PHPUnit and one of Xdebug or Zend Debugger.

Setting up PHPUnit is fairly straightforward, but the debugger is another matter.  The (somewhat confusingly written) documentation would lead you to believe that you need to play with IDE tokens and ports and server names and other things.  Not really, at least, not in my case.

PhpStorm's debugger listener is pretty smart.  In a lot of cases it can automatically detect a debugging session.  The steps are ridiculously simple:

1. Install a debugger on your system.  I opted for Xdebug, so it was simply a matter of:

$ sudo apt-get install php5-xdebug

2. Edit your php.ini files (both the web server's and the CLI's) so xdebug.remote_enable is on, and restart your server.

3. Follow the other instructions here: Zero-configuration debugging with Xdebug and PhpStorm 2.0.  Even though PhpStorm is now up to version 5.0.2 as of this writing, the instructions here worked like a charm for me.


Composer is a dependency manager for PHP written by Nils Adermann and Jordi Boggiano (with contributions from others).  It's nice and lightweight.  A JSON config file lists the packages you want/need for a project, and it looks at both its package repository (Packagist) and Github for them, installing them in a /current/path/vendors/ directory.

My problem with Composer was that I kept running into connection timeouts.  It wasn't a network error on my end - I have ~12 mbps downstream, so that's not a problem.  After a lot of searching, I found that the issue was caused by Composer being inefficient in its searches/downloads.  Something about it looking at both the distribution version and source version of a package.  To get better performance, a --prefer-dist option was added to the command line.  Unfortunately, that switch is not mentioned anywhere in documentation, nor in the CLI's --help option.

So, to use the option, simply (assuming a global install of Composer):

$ composer update --prefer-dist

Composer now works perfectly for me.


Symfony is a modular MVC framework from Sensio.  The Standard Edition comes with a demo app, which should be removed before doing your own work.  The Standard Edition's Github describes the process of removing the demo.  Unfortunately, the instructions regarding security.yml are wrong.  Simply removing those listings results in a runtime exception.  No, instead you need to provide default values.  Nice to know now.

So, there you have it, solutions to issues not mentioned in official documentation.  Hopefully I can stop others from getting frustrated.

EDIT: Thanks to Tony Quilkey, a.k.a. trq, a.k.a. thorpe for setting me straight on Composer's lineage.

Thursday, October 4, 2012

Basic PC security Part Deux

Part 1

How can I look at things safely?

It's somewhat difficult to concisely talk about the browser and browsing habits because some of the issues are technical, and some are human in nature.  I'll focus on the technical first, because they're easier to address.

The web gets its interactivity through technologies like Flash and JavaScript.  Unfortunately, those very same technologies can prove to be harmful.  Flash, in particular, is known for its related exploits, both because its creator, Adobe, is slow when it comes to patching them, and because of Flash being the platform online advertisements are generally built on, which gives would-be attackers an incredibly wide target audience.  While it's less common now, attacker-compromised ad servers are a popular way to spread malware.

While not dangerous directly, JavaScript can be used to dynamically load other data, or bring the user to another destination that contains something dangerous.  While JavaScript can be turned off in the browser, many websites (like just about everything Google owns) require it, so removing it from the equation entirely is essentially impossible.

The solution for both problems come in the form of browser plugins and/or settings, depending on the browser itself.  For Firefox and Chrome, the plugin Ad Block Plus stops any and all adds (after tweaking some settings) from appearing.  In some cases, that can lead to some site functionality to break, but you can tell it to not stop ads on a particular site.  Similarly, for JavaScript, the No Script plugin stops all scripts except for those you explicitly allow.  That kind of granular control will allow you to customize your internet experience.

Bad browsing habits are a bit harder to curb.  Generally speaking, sites that offer free merchandise (like, say, an iPad), sites that offer free porn, sites that offer crass, edgy videos and images tend to be a breeding ground for malware and assholes.  I'm not sure if it's the same today, but back in the day sites like Ebaum's World crawled with bugs.  If it sounds too good to be true, or if the site would attract people who would have no qualms with screwing with other people, try to stay away.

Be aware of any downloads.  If you're downloading a document, it should end in .pdf, or .doc, or .docx.  Don't open anything from a source you're not familiar with.  That means email, images, files, etc.  If you don't know the source, you can't trust the source.

One final thing: be cognizant of what you share on social media.  Do you really want the entire internet connected world to know your address, number, work address, husband's/wife's/children's info, or pictures?  Information is power.  Don't let those you don't know have power over you.

I'm sensing a common theme... the human factor is key, huh?

In any system, the weakest point is where ever humans enter the picture.  We're fickle, impatient, moody, and ambitious - the perfect combination for exploitation.  Social engineering (or, in non-nerdy terms, conning/scamming) is still one of the most effective ways to compromise a system.  Attackers disguise themselves and their requests as legitimate, hoping that they're in contact with a computer illiterate mark who will be lead to give away their own secrets.  And it happens all the time.  This year's rash of Xbox Live account thefts were largely due to people duping the Microsoft employees on the customer service line.  Someone posing as Windows tech support tried scamming Ars Technica.

There are so many ways that attackers can disguise themselves, it's impossible to talk about them all in this space.  But, I can give some general tips:
  1. If something seems suspicious, it probably is.
  2. No reputable company will ever ask you to email them your login credentials.  They already have them, and don't need them to refer to your account.
  3. Be wary of any email asking you to login to fix some error.  Call the company (and be sure to use their real number, NOT what's in the email) to verify.
  4. Tech support will never call you out of the blue.  It doesn't work that way.
  5. Where available, use two factor authentication.
  6. When in doubt, ask your nerdy friend/relative.
Above all else, remember that there are people out there who would like nothing more than to get their hands on your money, your identity, and your very being.  Be cautious, be smart.

What about viruses and stuff?

Amazingly, it's fairly simple to protect yourself.  Windows' firewall is turned on by default.  The question then becomes, "What anti-virus and anti-malware software should I use?"

New computers come with a heap of useless crapware.  That McAfee or Symantec/Norton anti-virus that came with it?  Also crap.  They're bloated pieces of code that have low detection rates and cost money.  Horrible.  There's no need to pay for a quality anti-virus program.  While there are many free alternatives (AVG, Avast!, etc.), I prefer Microsoft Security Essentials.  It's absolutely free; no fee for initial download or any kind of subscription nonsense.  It doesn't take a lot of resources.  It's unobtrusive.  It has a high and accurate detection rate.  For my needs, and likely the needs of most end users, it's just about perfect.

For my anti-malware supplement, I use Malwarebytes' Anti-Malware.  It's also free, and is a no-nonsense malware detector/remover that can sniff out just about anything.

Do these programs make a computer bulletproof?  No.  But when combined with other preventative measures, like good browsing habits, they're very effective.

As an aside: those Finally ads, and any other service built around "Clean up your PC!" are selling snake oil.  There's no reason for anyone to pay for that kind of service.  With the links provided above, you already have most of the tools needed to clean up your PC yourself.  Why pay someone $60-$80/hr to do it when you can do it yourself in a weekend?

So, is that it?

Well, not really.  Security is a broad topic, so broad it's impossible to completely tackle in a blog format.  My main goal is to raise awareness and curiosity.  There's no reason to not be aware of the incredibly basic steps needed to help secure yourself.  Given our ever increasing online presence, protecting ourselves on the internet is at least as important as physically protecting ourselves, our families, and our homes.  Since the only real costs involved are time and employing common sense, there's no reason not to take preventative action.

Unoriginal title for a post about general PC security (Part 1)

First, let me preface this by stating that I am not an expert in online security.  I'm not a hacker, I'm not a cryptologist.  I'm a web programmer who tends to view security from the POV of an end user.

Okay, with that said, here we go....

I've bought this $500+ piece of machinery, but you're asking me to understand how it works?

The sad fact of the matter is that many people who own computers are still largely computer illiterate.  Some are afraid to break/screw things up with their new appliance, and others are simply not interested in learning more than how to send email, visit YouTube, and do some basic office work.  The problem is that seemingly innocuous online activity can lead to a host of problems.  Addressing them isn't difficult, but it requires a bit of effort.  Just like a car needs regular maintenance to keep it on the road, a computer needs regular maintenance to keep it running and your information safe.

It's important to note, at this juncture, that there's no such thing as 100% secure.  Cyber security is always a game of catch up.  The various hackers, malware authors, and other black hat individuals and organizations out there will always have an advantage because, in a lot of cases, threats can't be addressed until an exploit has been abused.  The best we can do is engage in behavior to mitigate risk, and be prepared if an attack does happen.

What do you mean 'P@ssW0rd' isn't a good password?

Let's start with passwords.  If you do anything online, you're all but certain to have one.  A good password is long (the longer the better), contains a bunch of different characters (letters, numbers, punctuation), and isn't based on a dictionary word, or common phrases.  They should also be unique for each account (more on this in a minute).

The problem is that long passwords not based on a memorable pattern and filled with a variety of characters are hard to remember.  They're also a pain to type.  So, what people generally do is create a short, easy to remember password and then use that for just about everything.  If an online account is compromised, who cares?  It's just an account to Fluffy Birds or something unimportant, right?

Wrong.  If login info is compromised (and many times they're compromised without one knowing about it at all), then every account that uses that info is compromised.  That could mean your bank.  Your social media accounts with all the personal information about you and your family.  Your life could be laid bare for those who wish to do you harm.

So, what can be done?  I'm a huge fan of password manager software.  This software is essentially a database of all your passwords.  Even better, most come with a password generator, giving you a high entropy password at the click of a button that you can use for any account.  The password manager itself can be protected with a password, and some even allow you to use a separate key file as a second form of authentication.

The general workflow is:

Sign up for a new online account
Open the password manager
Generate a new password with the password manager
See if the site/system will take it*
If yes, you're registered, if not, keep generating new passwords until one sticks

To log into a site that requires a password, simply open the manager, and copy/paste the password into the password field.

*The unfortunate reality is that many sites put ridiculous limits on what they accept for passwords.  Microsoft, for example, limits passwords to just 16 characters, while EA prohibits certain special characters from being used.  These restrictions are completely artificial, and really only serve to negatively affect how secure your login information actually is.

I use and recommend KeePass.  It's free, it's easy to use, and it's available on just about every operating system one would want.  I use it on my iPad, laptop, and desktop, and with it, I can hit all the important attributes of a good password:

Not based on a dictionary word
Character variety
Unique to each account

Okay, cool, now what?

I'll talk about browsing, but in a new post to keep things readable.

Thursday, September 13, 2012

Ghost Hunters; or, That's not how science is done!

As I wait to hear from a client, I figured it was time to finally write my long awaited rant against Ghost Hunters and other shows of its ilk.  Those who know me personally know I have a seething hatred for it, but since my problems with it are many, I've never been able to succinctly express exactly why I hate it.  I figure that it's likely easier to put my thoughts down on 'paper', so here we go.

1. Assumptions

Let's first talk about the assumptions GH makes in order to have the viewer buy into what they're selling:

A. It is assumed that these people are professionals.  After all, they have a TV show.
B. It is assumed that ghosts exist.  This assumption is reiterated every time one of the people attempts to describe what they're scanning for.
C. It is assumed that the show is being truthful.

The two founding members of TAPS (the GH group) are Grant Wilson and Jason Hawes.  Before the show, they were part-time plumbers and co-owned a NH hotel.  They did ghost hunting on the side.  Neither of them, nor any other members of their crew have any formal scientific training.  They are, by all definitions, normal people without formal training.

We are told many times that the paranormal can do any of the following:

Emit an EM field.
Emit cold.
Can speak/make noise.
Manipulate matter (footsteps, things thrown, etc.).
Temporarily become visible.

The Ghost Hunters don't offer any explanation aside from their experience.  That leads into....

Despite the show airing on cable TV, paid for by advertising and merchandise, the crew is being honest in their pursuit of the truth.

2. Faux Science

What the GH crew does is not science.  For one, real science doesn't assume that the thing its testing for is real.  Second, science is testable.  Third, science is repeatable.

The way GH works is that they find an interesting/spooky place whose owner is already predisposed to believing in ghosts.  They interview the owner, paying close attention to particular details of the supposed hauntings.  They then spend the night in the location while filming/recording.  At dawn they stop, go over the hours of media they produced, and then present their findings.

One night's worth of observations is NOT scientific.  It's the very definition of small sample size.  A real scientific endeavor would take far longer (weeks, if not months or even years) in order to weed out all the variables (seasonal changes, atmospheric conditions, etc.).  The data itself would be analyzed by professionals.  Secondary (or even tertiary) observations may be required if the initial data sets were inconclusive or raised questions.

But, what of the data itself?  Unsurprisingly, everything TAPS records is digital.  That means it can easily be altered.  Add to that the abilities of an on-site production crew, and the fact that, again, this is being done for profit, and the data has to be considered suspect at best.

"Wait!  The GH crew itself debunks things all the time!"  Ah, well that plays into....

3. The Trick's the Thing

Ghost Hunters is one of the only shows where the majority of the action takes place off camera.  Think about that for a moment.  9 times out of 10, the camera is focused on one of the member's faces when the inevitable (and there's always at least two per case for advertising breaks) surprise happens.  And, really, that's the key.  The focus on the show isn't about the place they are or even ghosts at all.  It's about the crew.  They're the stars.

Now, there are shots of EMF meters blinking their lights, and various FLIR images, and even the occasional stationary camera shot.  I go through them individually.

The EMF meter shots are always filmed the same way: a tight zoom on the device itself as its lights blink in accordance to the off-screen instructions of a team member imploring a ghost to make the device light up.  EMF meters do exist (, but they don't generally look like what the GH crew uses.  So, it's questionable as to whether the GH prop is legit in and of itself.  Being charitable and assuming it is, why is the camera zoomed in so closely?  There's no need for the device itself to take up the majority of the frame, especially given how often things 'happen' off camera.  I have the suspicion that since the lights ALWAYS behave on cue, someone to the side is manipulating them.

The FLIR images, being digital, can easily be manipulated in post-production.  Some, like the far-off humanoid images, likely ARE people (producers, assistants, etc.).

The stationary camera shots usually pick up some physical movement that's off to the side, in the distance, or with a small object (desk clock).  Usually something moves, slides, rolls, or opens/closes suddenly.  This kind of thing has been used to great effect in movies like Paranormal Activity.

The same sort of thing can be said about the sounds obtained from EVP sessions (Electronic Voice Phenomenon) when one of the crew sits alone in a room and attempts to talk to a potential ghost while recording audio.  Since the recording is digital, it can be easily manipulated.  More on EVP:

What about the GH crew debunking things?  That all adds to the air of authority and truthfulness.  It's simply a way to get people to trust them.  It's really no different than a snake oil salesman plucking a 'random' member from the audience.

4. Conclusion

In the end, Ghost Hunters is not scientific.  It's not even remotely believable.  It's merely a combination of likeable everymen visiting spooky places at night while using camera tricks and post-production editing to sell a story.  There's no truth here.  Rather, it's just the continuation of a brand that's more interested in DVD sales than knowledge.

Friday, July 27, 2012

Adventures in repository land

My original Entity Framework repositories sucked.  No, they really did.  They were bloated, ugly things, each tied to a particular type, and filled with repetitious code that was far too application specific.  I mean, look at this crap:

To be fair, the code above was one of my first iterations of a repository, written before I was comfortable with C# and EF.  That said, the recent iterations of my standalone repos weren't much better.  A whole bunch of inflexible, type-specific code.

I knew that the ideal solution would be to make my repositories as generic as I could (code to an interface, not an implementation, right?), but the existing Game repo had specific functionality not shared with the others, and, more importantly, it required the eager loading of related data, and I wasn't sure how I'd tackle that, or if it was even possible.

IObjectSet does not have the Include() method, and I thought I was sunk until I found this old blog post from Julie Lerman.  IObjectSet implements IObjectQuery, which meant that I could write my own extension method that (for all intents and purposes) overloaded Include().  Problem solved in a decidedly C# way.

So, behold my generic repository, and my Game specific subclass:

Now, what about my Game-specific code?  Simple:

When I need to do the extra Game-related things, I simply cast (canned example):

I'm not sure if this is the most elegant way to go about it.  The cast strikes me as a bit of a code smell, but since those methods are used sparingly in my project, it seems like it's good enough.  Most importantly, my code footprint has been significantly reduced, and my backend is far simpler than it was originally.

You may have noticed that my type parameters implement IHGEntity.  That's just a utility interface that allows me to access to my types' ID property, which in turn allows me to save my entities.  It is an epic one-line interface:

So, there it all it is.  I hope this will be of help to those just starting out with EF.

NOTE: Apologies for the inconsistent capitalization of type parameters in the code blocks above.  The synax highlighter is automatically making anything within angle brackets lowercase.