Another day, another massive Dreamhost hack attack

A few months back, I wrote about a WordPress attack that affected a friend of mine. The hack was aimed at WordPress installs, and planted very subtle modifications to core WordPress files that redirected users to spam pharmacy sites.

At first, I thought the attack was aimed at unpatched WordPress sites, though my friend’s site was fully patched and updated. As I pursued the patch, I started noticing that a highly disproportionate number of the hacked sites were hosted on the same Web hosting provider my friend’s site lived on: namely, Dreamhost.

Dreamhost, as I observed later, seemed to be hosting quite a number of these hacked sites. And more worrying, the sites were generally fully patched, suggesting somesort of zero-day exploit against Dreamhost’s Web hosting servers.

I made note of it, fired off some emails to Dreamhost’s abuse team, and forgot about it.

Fast forward to today.

Today, I received a number of spam emails that used redirectors planted on hacked sites to redirect to a spam pharmacy page selling fake Viagra. More concerning, the site appeared to be attempting an exploit to download malware. It’s an exploit I’ve seen before, often used to distribute the W32/ZeuS banking Trojan.

In the spam messages I received, the redirect file had the same name: “jbggle.html”, So, curious, I did a Google search for sites with this filename in the URL and discovered quite a large number of hacked sites that redirect to the same spam pharmacy page:


All these URLs are live as of the time of this writing. All of them will redirect you to a spam pharmacy Web site which may also attempt to download malware on your server.

And interestingly, ALL of these Web sites is hosted by Dreamhost. Every. Single. One.

I strongly recommend that people steer well clear of Dreamhost. I have not seen this level of compromised Web sites on a single server since the zero-day exploit against iPower Web several years ago.

Dreamhost’s security team seems unwilling or unable to deal with this problem, which is quite disappointing for a large, mainstream Web hosting company.

Edited to add: Within minutes of this blog post going live, I received an email from Dreamhost’s security team that they had started examining the sites on their servers to remove these redirectors. It is not clear from the email whether or not they have identified the exploit being used to plant them, or indeed intend to do so.

So what IS wrong with rules, anyway?

I’m currently in the small coastal town of Brighton in the UK, a couple hours from London, staying with friends of emanix‘s. I’ve been severly jetlagged since I arrived in the UK; as near as I can tell, my internal clock, not sure whether to remain on Portland time or change to London time, has compromised by splitting the difference, and I am now on what would be a reasonable schedule if I lived in an empty spot of the Atlantic Ocean about 600 miles off the coast of New York.

As a result, I awoke at about 6 AM local time (or 10 PM Portland time) and couldn’t get back to sleep, so I turned to Twitter for solace.

One of the first tweets I saw asked a question about polyamorous relationships: If the people involved in the relationship are happy, what’s wrong with having a rules-based relationship?

Now, anyone who’s read anything I’ve ever written about relationships at all knows that I’m not a fan of relationship rules. To get a sense of why that is, one need only read here or here or..well, almost anything else I’ve ever written about polyamory.

But I still think it’s a fair question. As long as the people involved in the relationship are happy, what’s wrong with having a rules-based relationship? Is there really anything so bad about the idea of rules?

I thought about it for a bit, while struggling unsuccessfully to get back to sleep. And I think the answer is that yes, there is a fundamental flaw in the notion of rules-based relationships.

But before I get started on that, some background.

There are folks in the world who simply don’t like rules, and reflexively reject any form of rule as an unwarranted imposition on their freedom.

I am not one of those people.

My objection to rules in poly relationships does not come from an inherent dislike of rules in general. Far from it; when I first started this whole business of relationships, about twenty-six years ago, rules seemed like a natural and comfortable fit, a simple and obvious way to keep the relationships I was in stable and to keep the wheels from flying off unexpectedly.

And in fact there are quite a lot of rules in many parts of my life. I like games that have lots of rules. My relationship with zaiah is a strange switchy quasi-D/s thing that is evolving rather a complicated set of rules, which we have taken to writing down in a special book. So I’m not simply opposed to rules per se.

Also, I’m not much in to the notion of dictating to others how to live their lives, though I speak with certainty and as a result folks often believe I’m being prescriptive in the things I say. My ideas about polyamory tend to be predicated on what I have observed working and what I have observed not working; I’m enough of a pragmatist that what succeeds and what fails is much more interesting to me than what’s “right” and what’s “wrong” when it comes to relationships. (The definitions of “success” and “failure” are, of course, subject to interpretation, and that’s something I’ll touch on in a minute.)

All of my relationships have always been polyamorous. I have never once in my entire life had a monogamous relationship. Still, I did grow up in a culture where monogamy is the norm, and it seemed quite natural to me that such an unconventional relationship style must have some sort of system of rules in place in order for everyone to feel safe.

For many, many years, my “primary” partner (and yes, I did have a hierarchal primary partner) and I had a complex set of rules about who, when, where, why, and under what circumstances each of us could have another partner.

And it worked just fine for us, so there’s nothing wrong with that, right?

Except that, looking back, no, it really didn’t. And that brings me to reason #1 why I’m deeply suspicious of rules-based relationships:

#1. “It works for everybody” rarely, if ever, means it works for everybody.

It has been my experience that people who talk about agreements and rules which work for them usually–indeed, almost always–use a definition of “for them” that includes only “for the original people (often the original couple) in the relationship.” The impact of those rules on anyone who might come into the relationship later is seldom if ever considered. A person who enters the relationship is fenced in with a ring of rules, to contain and minimize the perceived threat that person represents; and if that person should find the rules unacceptable, or run afoul of the rules and then be ejected from the relationship, this isn’t seen as a failure of the rules. It’s seen as a failure of the person. “He isn’t REALLY poly.” “She was too threatening.” “He didn’t respect me.” Almost invariably, fault for the failure of the relationship is shifted onto that third person…but as long as the original couple remains together, the rules are working, right? And if the rules are working, what’s the problem, right?

Now, if I were to go back in time about ten or fifteen years and ask my earlier self “Are your rules working for everyone involved?” there is no doubt that that younger self would answer “yes” without the slightest hesitation.

At the time when i first started with rules, I believed they were necessary because, somewhere deep down inside, I believed that without them my relationship could not survive. Without rules, what would keep my partner with me? Without rules, how could I be sure my needs would get met? Without rules, how could I hope to hold on to what I had?

And I would have said that they worked for everyone, including my other non-primary partners, not out of malice but out of sincere belief, because…

…and this is a lesson it took me a very long time to learn…

it is almost impossible to be compassionate, generous, or empathic when you are filled with a fear of loss. So certain was I that the rules were necessary in order to protect myself from losing what I had, so afraid was I that without them I would lose everything, that not only did I not see the way those rules fenced in and hurt my other partners, I could not see it. It was as invisible to me as the concept of “wet” is to a fish.

Relationship rules and fear of loss often seem to go hand in hand in poly relationships. People who make rules don’t do it at random; they do it because, as was the case with me, it feels necessary.

We live, after all, in a society that holds very tightly to the notion of “the one” and “true love” and teaches us, from the moment we draw our first breath to the moment we take our last, that anything which interferes with the idea of couplehood represents a grave threat. Without sexual fidelity, there can be no commitment. Without commitment, there can be no safety, no security, no expectation of continuity.

Polyamory throws all that into question, yet we are still products of the ideas with which we’re raised; even someone who truly believes in loving more than one can fall prey to the idea that inviting someone else in is a threatening thing to do, fraught with peril.

Which brings me to reason #2:

#2. A rule can not, and never will be able to, fix insecurity.

Insecurity sucks. Believe me, I know. It’s one of the worst feelings in the world. When your partner does something that triggers a feeling of insecurity, the only thing you want to do is make that feeling go away.

It is natural, easy, and obvious to think that if your partner does something that brings on these awful feelings, if you pass a rule forbidding your partner from doing that thing, you need not worry about that feeling ever again.

So naturally, the rules that I had with my former primary partner largely revolved around things which triggered insecurities. Anything that felt like it threatened or diminished feelings of specialness, anything that seemed to take away from the things we most valued in each other, anything that got too close to home, anything that seemed to distract us from focusing on one another…all these things became fair game for rules-making.

These rules, of curse, were almost always applied to other partners rather than being made with other partners. We were the architects; other people were the subjects of the rules. Even when we negotiated them in the presence of “secondary” partners, it was very clear that they existed to protect us from them, not them from us. No matter how the negotiations were done, the power flowed in one direction only; they “worked for” a secondary partner in the sense that such a person could accept it or leave, no more. In that sense, they existed–deliberately, by design, though I would not have put it this way back then–to work against other people.

The idea that a system of rules can protect against insecurity, as seductive as it is, is ultimately bankrupt. The thing about insecurity is that it creates its own world. When you feel afraid of loss, or feel that your partner doesn’t value you, or feel that you’re not good enough, confirmation bias works its evil magic and you find evidence to support that belief everywhere.

Seen though the peculiar lens of expectation, everything becomes proof of your deepest fears. And no matter how many rules you pass, that never, ever goes away. The little fears whisper in your brain, all the time, like GrĂ­ma Wormtongue in The Lord of the Rings, planting its poisonous seeds in your brain. No matter how quickly you make rules to stamp out its triggers, the insecurity remains.

It is possible to overcome insecurity. I don’t think anyone ever really starts out secure and well-centered; it takes deliberate effort. I was not able to do it myself until the day come when I was able to take a leap of faith, cast aside the rules, and blindly trust that my partners loved me and cherished me and wanted to be with me despite all the fears that screamed in my face.

It took a tremendous amount of courage to do that. Which leads into the third reason I am skeptical of rules:

#3. Rules often inhibit growth.

There was a time in my life when I was dreadfully, powerfully insecure. I was never quite 100% sure why a partner would be with me, nor that if a partner were with someone else what she’d need me for.

Today, those feelings seem alien to me, like something that happened to some other person whose memories I have inherited but can’t quite connect with. Today, I build relationships that are powerfully secure, and I trust implicitly in my ability to construct a stable foundation of safety and security. More than that, though, I am secure inside myself. I am confident in my value, but also confident in my ability to grow and to be happy even if one (or more) of my relationships should happen to fail.

And indeed, that’s the only kind of security that is, or ever can be, real. No matter what promises I extract or what rules I make, there is nothing that can guarantee my lover won’t be struck by a bus, or develop a terminal disease, or even simply decide she’s had enough and leave. Nothing can ever keep me safe from loss; any such safety can only be an illusion. But I don’t need it; I know that should I feel loss, I may hurt, but I will survive, and ultimately I will be happy.

Many years ago, I had a friend who had an enormous pet iguana. Whenever she reached into its cage, it would lash at her with its tail. She would jump, then reach in again, and it would docilely allow her to pick it up.

On one occasion, after this ritual had played out, she said to me “I wish it would hit me, just once, so I would know what it felt like and I wouldn’t have to be afraid of it any more.” The older I get, the wiser that idea becomes.

There is a powerful lesson here. Just as you can never be compassionate when you’re filled with fear of loss, you can never be secure if you believe that you absolutely can not survive without your partner.

And you can never know that, or know that your partner truly cherishes you and wants to be with you, until you can gather the courage to face the fear of loss head-on, directly, no matter how much it scares you.

Until the day came that I was able to say “This scares the crap out of me, but I want to see if my insecurities are true, I want to see if what they’re warning me of will really happen,” there wasn’t anything I could hope to do to stop myself from being insecure.

And now that I have done that–now that I have slipped off the leash of rules and said to the people I love “Here are the ways you can cherish me; you are free to do whatever you want, to make whatever choices you think are necessary, and I will trust that you will make choices that show you cherish me”–I do not think I will ever feel insecure again.

It takes, unquestionably, a great deal of courage to step away from the safety and comfort of rules. However, once that is done, the fourth problem with rules-based relationships becomes obvious:

#4. The safety that is offered by a framework of rules is an illusion.

When I was in a hierarchal, primary/secondary relationship, the rules that my primary partner and I used to fence in secondary partners felt, to those people, like gigantic walls of stone and razor wire.

For the people upon whom such rules are enacted, that is quite common, I suspect. Such people rarely have a voice in those rules, and yet often end up hanging their entire relationship on the wording and interpretation of the rules, always knowing that a misstep or a changing condition can be the end of the relationship. Many folks who claim primacy in a primary/secondary relationship often say they need rules because otherwise they don’t feel “respected” by secondary partners, yet it’s difficult to be respectful when one feels hemmed in, encircled by walls, and knowing that one’s relationship is always under review.

But from the position of the primary partner in a hierarchical, rules-based relationship, I always knew that to me, they were nothing but tissue paper. The rules which were so immutable to a secondary partner applied to me only for so long as I chose to allow them to apply to me.

And when the day came, as it finally did, that I looked past my own screaming insecurities and my own well of fears for long enough to see–really see–what this structure of relationships was doing to my secondary partners, how it was constantly placing them in a minefield where what seemed to them like even a trivial miscalculation could bring down the wrath of the furies upon them, I decided that I could no longer in good conscience bear to subject people to this sort of environment, and I ended my primary relationship.

Just like that.

All the rules, all the covenants, all the agreements, all those things were no more effective at keeping me in the relationship, in the end, than a rice-paper wall is effective at stopping a charging bull.

Rules can not make someone stay. Once the decision is made to go, no rule will prevent it. That fortress that seems so impregnable, that seems able to give safety and security in a frightening world, is made of mud and straw.

Now, for folks who believe in rules-based relationships: Maybe your experiences are different from mine. Maybe you have rules that are considerate, compassionate, equitable, and kind. But are you sure?

If you were to talk to that version of me fifteen or twenty years ago, and ask him how he felt, he would absolutely tell you that all his rules were both necessary and fair. It’s a near-universal truth of the human condition that when you’re mired in your own emotional responses, it’s damn near impossible to see someone else’s. Even when partners told me that they felt unsure of their place in my life, or that the structures of my primary relationship put them in a tenuous position, it was easy for me to believe that the fault must lie with them and not with me…if I was even able to hear that much at all. It is very, very hard to understand your own strength when you feels weak, and to understand how you hold all the cards in an established relationship when you feel threatened by the newcomer.

The question “What’s wrong with having a rules-based relationship?” is absolutely a legitimate question to ask.

I’d like to flip it on its head and approach it from the other direction, though. Why have a rules-based relationship? What is the purpose of structuring relationships around rules? How, for those of you who feel the need for rules, would you complete the sentence “I have rules to structure my relationships because without those rules, the bad thing that would happen is ____?” What is it about rules that feels necessary, and how exactly do they serve to fill the function they are intended to fill?