Cloudflare: The New Face of Bulletproof Spam Hosting

…or, why do I get all this spam, and who’s serving it?

Spammers have long had to face a problem. Legitimate Web hosting companies don’t host spam sites. Almost all Web hosts have policies against spam, so spammers have to figure out how to get their sites hosted. After all, if you can’t go to the spammer’s website to buy something, the spammer can’t make money, right?

In the past, spammers have used overseas Web hosting companies, in countries like China or Romania, that are willing to turn a blind eye to spam in exchange for money. A lot of spammers still do this, but it’s becoming less common, as even these countries have become increasingly reluctant to host spam sites.

For a while, many spammers were turning to hacked websites. Someone would set up a WordPress blog or a Joomla site but wouldn’t keep on top of security patches. The spammers would use automated tools capable of scanning hundreds of thousands of sites looking for vulnerabilities and hacking them automatically, then they’d place the spam pages on the hacked site. And a lot of spammers still do this.

But increasingly, spammers are turning to the new big thing in bulletproof spam serving: content delivery networks like Cloudflare.


What is a content delivery network?

Basically, a content delivery network is a bunch of servers that sit between a traditional Web server and you, the Web user.

A ‘normal’ Web server arrangement looks something like this:

When you browse the Web, you connect directly to a Web server over the Internet. The Web server takes the information stored on it and sends it to your computer.

With a content delivery network, it looks more like this:

The CDN, like Cloudflare, has a large number of servers, often spread all over the country (or the globe). These servers make a copy of the information on the Web server. When you visit a website served by a CDN, you do not connect to the Web server. You connect to one of the content delivery network servers, which sends you the copy of the information it made from the Web server.

There are several advantages to doing this:

1. The Web server can handle more traffic. With a conventional Web server, if too many people visit the Web site at the same time, the Web server can’t handle the traffic, and it goes down.

2. The site is protected from hacking and denial-of-service attacks. If someone tries to hack the site or knock it offline, at most they can affect one of the CDN servers. The others keep going.

3. It’s faster. If you are in Los Angeles and the Web server is in New York, the information has to travel many “hops” through the Internet to reach you. If you’re in Los Angeles and the content delivery network has a server in Los Angeles, you’ll connect to it. There are fewer hops for the information to pass through, so it’s delivered more quickly.


Cloudflare and spam

Spammers love Cloudflare for two reasons. First, when a Web server is behind Cloudflare’s network, it is in many ways hidden from view. You can’t tell who’s hosting it just by looking at its IP address, the way you can with a conventional Web server, because the IP address you see is for Cloudflare, not the host.

Second, Cloudflare is fine with spam. They’re happy to provide content delivery services for spam, malware, “phish” sites like phony bank or PayPal sites–basically, whatever you want.

Cloudflare’s Web page says, a little defensively, “CloudFlare is a pass-through network provider that automatically caches content for a limited period in order to improve network performance. CloudFlare is not a hosting provider and does not provide hosting services for any website. We do not have the capability to remove content from the web.” And, technically speaking, that’s true.

Cloudflare doesn’t own the Web server. They don’t control what’s on it and they can’t take it offline. So, from a literal, technical perspective, they’re right when they say they can’t remove content from the web.

They can, however, refuse to provide services for spammers. They can do that, but they don’t.


History

CloudFlare was founded by Matthew Prince, Lee Holloway, and Michelle Zatlyn, three people who had previously worked on Project Honey Pot, which was–ironically–an anti-spam, anti-malware project.

Project Honey Pot allows website owners to track spam and hack attacks against their websites and block malicious traffic. In an interview with Forbes magazine, Michelle Zatlyn said:

“I didn’t know a lot about website security, but Matthew told me about Project Honey Pot and said that 80,000 websites had signed up around the world. And I thought ‘That’s a lot of people.’ They had no budget. You sign up and you get nothing. You just track the bad guys. You don’t get protection from them. And I just didn’t understand why so many people had signed up.”

It was then that Prince suggested creating a service to protect websites and stop spammers. “That’s something I could be proud of,’” Zatlyn says. “And so that’s how it started.”

So Cloudflare, which was founded with the goal of stopping spammers by three anti-spam activists, is now a one-stop, bulletproof supplier for spam and malware services.


The problem

Cloudflare, either intentionally or deliberately, has a broken internal process for dealing with spam and abuse complaints. Spamcop–a large anti-spam website that processes spam emails, tracks the responsible mail and Web hosts and notifies them of the spam–will no longer communicate with Cloudflare, because Cloudflare does not pay attention to email reports of abuse even though it has a dedicated abuse email address (that’s often unworkakble, as Cloudflare has in the past enabled spam filtering on that address, meaning spam complaints get deleted as spam).

Large numbers of organized spam gangs sign up for Cloudflare services. I track all the spam that comes into my mailbox, and I see so much spam that’s served by Cloudflare I keep a special mailbox for it.

Right now, about 15% of all the spam I receive is protected by Cloudflare. Repeated complaints to their abuse team, either to their abuse email addres or on their abuse Web form, generally have no effect. As I’ve documented here, Cloudflare will continue to provide services for spam, malware, and phish sites even long after the Web host that’s responsible for them has taken them down; they kept providing services for the malware domain rolledwil.biz, being used as part of a large-scale malware attack against Android devices, for months after being notified.

One of the spam emails in my Cloudflare inbox dates back to November of 2013. The Spamvertised domain, is.ss47.shsend.com, is still active, nearly a year after Cloudflare was notified of the spam. A PayPal phish I reported to CloudFlare in March of 2014 was finally removed from their content delivery network three months later…after some snarky Twitter messages from Cloudflare’s security team.

(They never did put up the interstitial warning, and continued to serve the PayPal phish page for another month or more.)

Cloudflare also continues to provide services for sites like masszip.com, the Web site that advertises pirated eBooks but actually serves up malware.

In fact, I’ve been corresponding with a US copyright attorney about the masszip.com piracy, and he tells me that Cloudflare claims immunity from US copyright law. They claim that people using the Cloudflare CDN aren’t really their concern; they’re not hosting the illegal content, they’re just making a copy of it and then distributing it, you see. Or, err, something.

I am not sure what happened within Cloudflare to make them so reluctant to terminate their users even in cases of egregious abuse, such as penis-pill spam, piracy, and malware distribution. From everything I can find, it was started by people genuinely dedicated to protecting the Internet from spam and malware, but somehow, somewhere along the way, they dropped the ball.

I wonder if Michelle Zatlyn is still proud.

Staring Into the Abyss and Blinking: Why I’m Not Watching Dr. Who

I was sold a bill of goods.

We all were, really. It was a bill of goods we’d been promised for years, with the reboot of the popular BBC TV show Dr. Who.

I loved Dr. Who as a kid. I had a secondhand television set in my bedroom when we lived in rural Nebraska. We didn’t have cable, and we were way out in the middle of nowhere, so we only got two stations: PBS and something I don’t remember (because if you have PBS, what else do you need?). I’d watch Tom Baker romp around the universe with his sidekick Louise Jameson (my second celebrity crush) in cheesy low-budget glory.

The new Dr. Who promised to be something darker, something more complex, something less campy and more menacing. And, for a time, it delivered.

Oh, sure, it had problems. Russell T. Davies’ epic misogyny was tiresome and sad, like that one relative who overstays his welcome at every family get-together, the loser who drinks too much and starts rambling about how in his day, women didn’t run for political office before he ends up passed out on the table with all the leftovers scattered around him and his head in the plate of mashed potatoes.

Eventually, the show realized it was actually Mr. Davies’ bigotry that looked tired, and Steven Moffatt took over the reins. His sexism is still there, to be sure, though it’s a more covert sexism, a sexism that sees female characters as “strong” provided they don’t, you know, talk too much or stray from gender roles. But that, perhaps, is a topic for another essay.

Ah, Steven Moffat. The man who blinks at the edge of the Abyss. The man who promises but can’t deliver.


The Promise

When you think of the new Dr. Who, what comes to mind? The character of the Doctor has been re-imagined in a much darker way than the original. This is not the Tom Baker Doctor; this is a doctor much more complex, much less cartooney. This is the Doctor who is always running–but not necessarily from Daleks or Cybermen as much as from himself. This is the Oncoming Storm, the Doctor capable of atrocity, the Doctor who disowned his own name after he destroyed his entire species. This is the Doctor driven by remorse, grief, and a vast, aching ocean of loneliness. This is a Doctor at war with himself.

That’s what the new series offered, and, for the first several years, delivered. In the re-imagined Dr. Who, we were introduced to a character made up of equal parts whimsey and rage, hope and regret. This was a Doctor of contradiction, a Doctor capable on the one hand of rejoicing “Just this once, everybody lives!” and on the other of inflicting infinite punishment on those who anger him. “He never raised his voice. That was the worst thing, the fury of the Time Lord… And then we discovered why.” This is a Doctor capable of acts of almost inconceivable fury. This is a Doctor who, while deriding genocide, is altogether comfortable with it.

Where did this psychological complexity come from? According to Steven Moffat, from his own past, from his own decision some countless number of centuries ago to destroy his own kind and the Daleks in order to prevent their war from swallowing up everyone else. He looked into the Abyss, and he chose atrocity. He made the choice, consciously and with awareness of the outcome, to commit genocide. Living with the consequence of that choice has defined his character since.

This is the grownup Doctor, the Doctor for adults. The Destroyer of Worlds, the Oncoming Storm, the Bringer of Darkness, with a goofy grin and a Fez and an irrepressible sense of optimism that flies in the face of everything he’s seen. This is the new Doctor.

Or so we were told.


The problem

Many heroes have darkness in their pasts. It’s a rather pedestrian storytelling technique. The most simplistic versions of it, repeated in nearly every comic book since the dawn of time, involves a traumatic event inflicted on the protagonist by an outside party, which becomes the protagonist’s reason to become a hero. Spider-Man and Bruce Wayne had people close to them murdered by bad guys. It’s a cheap trick, a quick way to jump-start a hero without having to work too hard.

Sometimes, storytellers will go a more ambitious route, and make the Dark Tragedy that compels the protagonist forward an atrocity of the character’s own making. This is the strategy employed in my all-time favorite novel, Use of Weapons. When it succeeds, it succeeds well.

It’s a difficult thing to do, though. Presenting a character the audience is expected to see as sympathetic and to be able to identify with, and who is also capable of acts of atrocity the audience finds repugnant, requires considerable finesse in the craft of storytelling.

There’s a problem that one faces, when one is a storyteller dealing with a protagonist who, we are told, is capable of atrocity. At some point, we, the audience, must see the atrocity, or else it becomes a gimmick. If we are told the protagonist is capable of this repugnant thing, but we are never shown it, it’s simply another cheap trick, too easily ignored. Eventually, the TV show was going to have to come to a point where we, the audience, would have to be taken to the abyss. We were going to have to see the act, if we were to continue to take it seriously.

That moment came in a Dr. Who show called The Day of the Doctor, and Steven Moffat almost–almost–pulled it off.

The Day of the Doctor could have been one of the best hours of television filmed in a long time. Instead, it made me utterly abandon any interest in continuing to watch the show, and totally undermined any confidence I have in Moffat’s ability to tell a story.

It should have worked. It really should have. I mean, for Chrissakes, they got John Hurt to play the zeroth Doctor, the Doctor whose act of atrocity laid the groundwork for everything that came after.

The Blink

Dr. Who has always been a corny show, with the degree of corniness waxing and waning as different writers tried their hand at the character. (The Titanic ramming through the TARDIS walls in one particularly atrocious and best-forgotten episode, for instance, will not exactly ring down through the ages as television’s highest moment of artistic achievement.) There is, naturally, a bit of corniness in The Day of the Doctor,, and the episodes leading up to it. That’s to be expected. It’s the characters and not the situations that matter most, right?

So we are introduced to the War Doctor, the Doctor before he renounced his name, the Doctor who was the person all the other Doctors would spend their lives running away from, the Doctor who made an unthinkable choice for which he and all his future incarnations would be driven by remorse. We saw, by the device of time-travel and simultaneous presence, the revulsion and contempt his future selves hold for him. We saw, starkly, the Doctor’s self-loathing put on display. We, the audience, were walked through the events that led to this unthinkable choice, the anguish, the despair, the cold moral calculus that justified it and the emotional response to what it implied. We saw all that.

And then, we saw those future Doctors, the ones who had spent centuries running from that choice, the ones who held the man who made them in such contempt, join him at that hour. Wait, the later versions said. You were the Doctor on the day it wasn’t possible to get it right. But this time, you don’t have to do it alone. The past Doctor and the future Doctors, reaffirming that this act was the right–the only–thing to do.

This was a gutsy, brilliant piece of storytelling. This was the storyteller leading us to the edge of the Abyss and saying, see, this character you love, he is capable of atrocity, and he would do it again. This was the Doctor saying, all these centuries I have lived with this guilt and this remorse and this shame and this self-loathing, and I would do it again. From here, from the vantage point of all these centuries, with all that has happened, it was still the right thing to do. This was the twin irreconcilable pillars of the character’s psychology, the essential paradox of his makeup, the Doctor’s compassion and the Doctor’s capacity for genocide, reconciled. This, maybe, was the beginning of the Doctor’s coming to terms with himself, the path away from self-loathing and grief.

And Moffat blinked.

But he’s the Doctor! Everybody loves the Doctor! He wears a fez! He’s nice to puppies! He helps little old ladies cross the street! We can’t show the Doctor doing this!

And so, in a ridiculous last-minute deus ex bigger-on-the-inside-machina, he blinked. No, we won’t make him do this! We will paint ourselves out of the corner we’ve painted ourselves into because…the TARDIS is magic! Alternate dimensions! But we won’t actually change the Doctor’s character because…because, um…time loop! Memories! He’ll still believe he did this terrible thing even though he didn’t! Nobody actually has to make hard choices, not for real! Retcon! Retcon!


I can forgive a lot of things.

I can forgive uneven writing. I can forgive lapses in continuity (“Even a Time Lord’s body can be dangerous, so we have to burn it…no, wait, Time Lords don’t leave behind bodies when they die, they leave a special effect instead!”) I can pretend that episode about the Titanic didn’t happen.

But I can’t forgive cowardice.

What happened in The Day of the Doctor was cowardice. It was a storyteller making a promise he didn’t have the guts to deliver on. It was not crediting us, the audience, enough to believe that we could take you seriously about the genocide thing and still want to keep traveling with this character. It was the easy way out–I promised you this…oh, no, only kidding! The Doctor would not really do that. Not for serious.

I can’t forgive cowardice, and the television show no longer interests me in the slightest. I simply don’t care enough to follow it any more.

We were sold a bill of goods. The box is empty. The Emperor has no clothes. Steven Moffat can keep his robotic bad guys with their plunger arms and little flashy lights. I want stories that aren’t afraid to go where they promise. Now, where’s that Culture book?

The Dangers of Digital Outsourcing

Email is hard.

The standards we use for email date back to the 1980s. They were based on even more primitive email standards develiped in the late 1960s and early 1970s.

Computer networks were a very different animal back then. The ARPAnet, one of the precursors to the modern Internet, had 50 systems on it. Everyone knew each other. Only a small handful of “email addresses” existed. There was no security and no authentication, because you knew all the other people who had email access.

Today’s email system is a hacked-together, tottering patchwork of different ideas and implementations, with all kinds of additions and extensions bolted on. It’s still woefully insecure, and it still has its roots in an earlier and vastly simpler time.

This means running email servers is hard. Even if you’re a big ISP, running email servers is hard. And it’s expensive. Even the most dedicated sendmail guru will tell you getting all the configuration wibbly bits correct is difficult and tedious, and it’s easy to make mistakes.

So more and more people are outsourcing their email. Even large ISPs are turning to Google to run their mail servers. Everyone knows about gmail, but most people don’t know that gmail can also take over your company’s mail services, dropping the “@gmail” bit for whatever you want. Google is good at email and it’s a lot cheaper to have them run your email than it is to do it yourself.

Which creates a problem.


Most email is spam, by a huge margin. About three-quarters of all the email sent anywhere is spam. The only reason you can still use your email is filtering, filtering, filtering. The stuff that lands in your inbox is the tiny drip, drip, drip of spam that gets through the filters holding back the torrential flood.

This happens because email standards were invented in a time when there were 50 computers on the entire net and everyone knew everyone else, so there is absolutely no authentication built into email. I can send you mail from any address I want and your server will blindly accept it.

Now, most of the Internet doesn’t like spam. Or, at least, it pretends not to. (Many mainstream ISPs and affiliate advertising companies turn a blind eye to it, because profit–but that’s a post I’m working on for another day.)

ISPs have certain “role accounts”–email adddresses that are always the same, such as postmaster@whatever, hostmaster@whatever, and abuse@whatever.

The abuse@ email address is where you send reports of, naturally, abuse. If an ISP is hosting a Spamvertised Web site, or has been hacked and is being used to spread viruses, or is the source of spam emails, you send notifications and copies of the spam emails to abuse@.

So, naturally, you can’t put spam filters on the abuse@ email address, for obvious reasons. If you spam-filter abuse@ and I try to send you notification of spam that’s being sent from your servers, the notification will get filtered and you won’t see it.

In fact, “thou shalt not put spam filters on your abuse role account” is in one of the documents that specifies what makes the Internet go. The standards and protocols that make the Internet work are outlined in a series of technical documents called “RFC”s, and RFC2142 spells out what role accounts an ISP should have, what they’re used for…and oh yeah, don’t run a spam filter on your abuse@ address because that would be really stupid.

The problem is that more and more ISPs are realizing that email is hard, running email servers is hard, and it’s a lot cheaper and easier to let Google just handle all your email services for you.

And Google automatically filters spam.


Email is hard.

Part of the reason email is hard is every email address can be configured in a zillion different ways with a zillion different options.

Google has built a set of options that make sense for most email addresses most of the time, and when you turn over your email operations to Google, that’s what you get.

One of those options that makes sense for most email addresses most of the time is spam filtering. When ISPs and Web service providers relinquish control of their email services to Google, they’re often not even aware that Google filters spam by default. They don’t know they are filtering their abuse@ address, because who would do that? How dumb would you have to be to put a spam filter on an email address intended for reporting spam, right?

So we get things like this:

Here’s the bounce:

: host aspmx.l.google.com[173.194.64.27] said: 550-5.7.1
[67.18.53.18 7] Our system has detected that this message is
550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to
Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1
http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550
5.7.1 more information. ny4si6062371obb.164 – gsmtp (in reply to end of
DATA command)
Reporting-MTA: dns; gateway07.websitewelcome.com
X-Postfix-Queue-ID: 0FF09169EDAB
X-Postfix-Sender: rfc822; franklin@franklinveaux.com
Arrival-Date: Fri, 28 Mar 2014 16:31:17 -0500 (CDT)

This was a bounce that came back from a “phish”–a phony PayPal or bank site designed to trick people into giving up sensitive information–that Cloudflare, a content delivery network, was serving. I reported the phish to them on March 28. When I checked it three days ago, it was still there, still stealing people’s passwords.

And it’s not isolated. This is an incredibly common problem:

: host alt2.ASPMX.L.GOOGLE.com[74.125.29.27] said:
550-5.7.1 [67.18.62.19 12] Our system has detected that this message
is 550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to
Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1
http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550
5.7.1 more information. x7si1316702qaj.209 – gsmtp (in reply to end of DATA
command)
Reporting-MTA: dns; gateway01.websitewelcome.com
X-Postfix-Queue-ID: C61B24C69D52
X-Postfix-Sender: rfc822; franklin@franklinveaux.com
Arrival-Date: Sat, 3 May 2014 15:54:51 -0500 (CDT)

: host ASPMX.L.GOOGLE.com[173.194.64.27] said: 550-5.7.1
[67.18.22.93 12] Our system has detected that this message is
550-5.7.1 likely unsolicited mail. To reduce the amount of spam sent to
Gmail, 550-5.7.1 this message has been blocked. Please visit 550-5.7.1
http://support.google.com/mail/bin/answer.py?hl=en&answer=188131 for 550
5.7.1 more information. ij7si5132986obc.180 – gsmtp (in reply to end of
DATA command)
Reporting-MTA: dns; gateway05.websitewelcome.com
X-Postfix-Queue-ID: 9FB7A4A9184F7
X-Postfix-Sender: rfc822; franklin@franklinveaux.com
Arrival-Date: Mon, 5 May 2014 02:07:56 -0500 (CDT)

Most folks, when they see the bounce message, are like “d’oh!” and find a way to turn off filtering their abuse@ message. (Cloudflare seems to be a bit of a special case; they tend to get defensive and snarky instead. That’s disappointing, as their founder was an early anti-spam pioneer.)

The dangers of outsourcing bits of your business is that you necessarily lose control of those bits. When you’re an ISP or a Web service provider and you outsource your email services, well, losing control of your email services can have some unfortunate consequences. When you filter your abuse@ address, you soon become a haven for spam and malware and phish pages and all sorts of other nasties…because you don’t know you’re hosting them.

So what’s the solution?

Ideally, a complete overhaul of email. Since that’s about as likely as Elvis stepping out of a flying saucer in Times Square and handing me a winning Powerball lotto ticket, I’m not holding my breath.

Another solution is for ISPs to acknowledge that the work they do is hard, and just doing it. That’s a bit more likely, but it still involves things approximately as probable as Elvis and flying saucers–perhaps Elvis handing me a chocolate bagel rather than a Powerball ticket–so I’m still not holding my breath.

But it might be in the realm of possibility for Google to set up their configuration to turn off spam filtering by default on any email address that contains the word “abuse.”

Anyone know anyone who works in Google’s email services department?

“I’m not a feminist. I love men!”

If you’ve been reading my blog for any length of time, you’ll know I hold very little in common with the Religious Right. I do not, for example, believe that homosexuality is a sin, or that Teh Gayz are all destined for the fires of Hell. I don’t much cotton to the notion that the government of the United States should be replaced with a Christian theocracy. Nor do I believe there is a hidden secret agenda of the Godless to drive this great nation into the ground–I think the anti-intellectualism displayed by so many on the Right is doing that job well enough, thanks.

But there is one thing I admire about the Right, and that is their fearsome, epic ability to frame discussion about any topic they care about by crafting a point and then keeping tenaciously, ferociously on point.

“I’m not a feminist. I love men!”

One of the ways the Right has been brilliantly successful at framing the public discourse is in the way they’ve controlled how we think about women. And by “we” I don’t mean “people on the right,” I mean everyone.

Even folks who ought to know better.

“I’m not a feminist. I love men!”

The areas of the Internet I frequent are not areas where the Right often appear. I tend to spend my time online in forums that talk about non-traditional relationships, progressive social issues, technical and scientific subjects, and skepticism.

And there’s something really striking about all these places. The Right may not be present there, but the ideas of the Right are. Even, interestingly, in people who claim to despise the Right.

“I’m not a feminist. I love men!”

There’s no place this is more obvious than in conversations about the Dread F Word. No, not that Dread F Word, the other Dread F Word.

Find yourself a progressive, generally respectful, tolerant, otherwise with-it person. Man or woman, it doesn’t make much difference. Just find someone who thinks there’s room for a multiplicity of views in the public ideosphere. Someone who, if he or she is religious, doesn’t think God commands converting the heathens at the point of a sword. Someone who thinks that people ought generally to be treated well,and that religion isn’t the basis for the formation of a Western representative government. Someone who will agree that racism is a bad thing, even if it’s not entirely clear what we should do to get rid of it.

Now ask that person a simple question: “What is feminism?”

See that? Something very strange happens. For a brief moment, when that otherwise progressive, generally agreeable person starts talking, it’s as if Rush Limbaugh or Sean Hannity stuck his hand up your interlocutor’s ass and made his or her lips move. For that brief instant, that person, that otherwise agreeable and not at all racist or sexist person, becomes a meat puppet for Mr. Limbaugh, Mr. Hannity, and his ilk.

Even if that person would be horrified at the thought of listening to their shows.

“I’m not a feminist. I love men!”

Think about what goes through your mind, dear reader, at the word “feminist.” Do you think “shrill”? “Strident”? “Misandrist”? “Humorless”? “Man-hater”? “Feminazi”? Does an image pop into your head of a woman who wants to get ahead by tearing down men, a woman who blames men for her own shortcomings, a woman who wants to cause trouble because she can’t succeed on her own? Do you picture someone who, even if she perhaps has the right intentions, has totally gone overboard, accusing all men of being sexist (or worse, of being rapists)?

Guess where those ideas come from? I’ll give you a hint: Not from actual feminists.

Now, don’t get me wrong: any sufficiently large group of people is going to contain extremists, bad apples, and destructive folks. If you look at doctors in general, you’ll find the occasional cynical lying fraud like Andrew Wakefield–but we don’t say all doctors are frauds who deliberately publish articles they know to be fabricated. There are probably a small number of extremists out there somewhere who hold something that might reasonably be within spitting distance of some of the stereotypes about feminism.

But the idea that this is what most or all feminism is about? Sheer, brilliant, amazing PR by the Right. Where did you get those ideas? You got them from the Right, even if you don’t know it.

You probably think you didn’t get them “from” everywhere. You simply know them to be true. Everyone knows them to be true, right? And that’s the crux of the brilliance: if you repeat an idea often enough, everyone, even folks who ideologically despise you, will come to accept it as just true.

Feminists hate men. Everyone knows it. Because we’ve all heard it, even if we don’t exactly remember where we’ve heard it from.

Are there women who are angry? Oh, yeah, you bet. What’s amazing is not that women are angry, but that more women aren’t more angry. All the dudebros I’ve personally met get a whole lot angrier about things a whole lot more trivial–for instance, the notion that they shouldn’t grope those hot somethingsomethings at that con without, you know, asking them first. (Scientist Hope Jahren actually had a colleague ejaculate in an envelope and leave it in her mailbox when she dared to think that she might be worthy of a spot on a serious scientific research team…and this isn’t even an isolated or extreme example of the kind of shit women deal with every day. And men say women are angry? Seriously, what would we say about women if they thought it was appropriate to protest the presence of a man on a research team by shoving a used tampon into a mailbox? Seriously, it amazes me that every woman on earth does not, at some point, climb a clock tower with a rifle. I guaranfuckingtee you that if the roles of men and women were reversed tomorrow, we’d see a whole lot of dudebros doing exactly that.)

“I’m not a feminist. I love men!”

The idea that feminism means hating men has been so skillfully inserted into the public discourse that it’s accepted as a premise in almost any dialog about men and women. And it’s a corrosive idea. It distorts conversation. If you accept this premise, a whole lot of things that would otherwise seem unreasonable–indeed, even offensive–start to sound reasonable.

What is feminism?

It’s the idea that men and women are both people, equally deserving of agency. That’s it. That’s the whole package.

What separates feminism from humanism, then? Centuries of institutional, systematic inequality, that’s what. Saying “I think men and women are equal” is all fine and dandy, but if you ignore the fact that we live under a system that treats, in a thousand ways, men and women as decidedly unequal, congratulations! You’ve just won a Nobel Prize in Missing The Point, which you will be sharing with approximately two and a half billion other luminaries in point-missing.

If you think women are people, congratulations, you’re a feminist! And if you don’t, well…the alternative, it seems to me, is “asshole.”

If you reject this notion of feminism, because everyone knows it means something else, ask yourself: How do you know? Do you know from actually talking to women, or because you’ve heard of this one person who said this feminist this one time said all men are rapists and should die? And if it’s the latter, ask yourself…how did he know that? And more to the point, who benefits from this particular notion of feminism? (I’ll give you a hint, bro: it ain’t women.)

End note: At this point, I know, I just know, that some of you have fingers already all a-tingle to send me a private email telling me pretending to be a feminist is a great strategt for getting laid. Seriously, don’t bother.

An Open Letter to Brogrammers

Computer programming is a tough job. It’s not for the faint of heart or the fair of sex. It’s grueling, high-stress work, demanding that you sit on a comfortable chair in an air-conditioned office for hours on end, typing on a keyboard while looking at a monitor. Women just aren’t rugged enough for that.

Plus, as everyone knows, women can’t code. At best, they can maybe contribute in their small way to large open-source projects, but really, they’re much better suited for accessorizing PowerPoint presentations written by real coders. Manly coders.

If this is the world you live in, bro, I’m afraid I have some really bad news for you.

I’d like to introduce you to someone. This is Augusta Ada King, Countess of Lovelace. She was a lady’s lady, an aristocrat who lived in the 1800s and who did all of the things young women of noble birth did back then–danced, wrote poetry, and penned long flowery letters to her tutor.

She also wrote the world’s first computer program in 1842, in the margins of a technical document she was translating from Italian into English.

Yes, you read that right. Ada was so fucking baller she wrote code before computers had even been invented. You think you’re hardcore because you can use agile development strategies to link a big data repository to a high-performance querying front end without SQL? Pfaff. This woman invented coding before there was anything to code on.

And then there’s this woman, who could kick your ass sideways, steal your lunch, and then fart out code better than anything you’ll ever be capable of if you live to be a thousand years old.

This is “Amazing” Grace Hopper. She took leave from Vassar to join the Navy, where she invented or helped invent the entirety of all modern computer science, including nearly every wimpy-ass tool your wimpy ass laughingly refers to as “coding.” Compared to her, you’re nothing but a little kid playing with Tinker toys. Tinker toys she invented, by the way.

Yeah, I know, I know. You think you’re all badass and shit because you can get your hands right down there and compile a custom Linux kernel with your own task scheduler that reduces overhead for context changes by 16%, and…

Ha, ha, ha, ha, you are just so cute! It’s absolutely precious how you think that’s hardcore. That kind of shit is duck soup. Seriously, no-brains-required duck fucking soup compared to what she did. That C compiler you love so much? Grace Hopper invented the whole idea of writing code in a language that isn’t machine code and then compiling it to something that is. She was the one who came up with the notion of a “compiler” (and wrote the very first one ever), pausing along the way to invent code testing and profiling.

Thanks to her, you’re living in the lap of luxury. you can write code without having to know the exact DRAM timing. You have conditional branches and loops–neither of which existed when she started programming the Harvard Mark 1. (She made loops by taking long strips of paper tape and, no shit, taping their ends together to get the computer to execute the same code again.)

You want to see hardcore programming? I’ll show you hardcore programming:

This is what real hardcore coders do. No compilers, no syntax checkers, just a teletype machine and a bunch of fucking switches that change the computer’s memory and registers directly.

And you know what? For her, that was luxury. She and all the other early computer programmers–almost all of whom were women, by the way–started out programming by plugging patch cords into plugboards, because that’s how they rolled, motherfucker. Fuck keyboards, fuck front-panel switches…those things were soft. If you wanted to code back then, you needed a postgraduate degree in mathematics, an intimate understanding of every single component inside the computer, and the ability to route data with your bare fucking hands.

Grace Hopper was so badass that when she retired from the military, Congress passed a special act to bring her back. Twice. And then when she retired for real (for the third time), the Navy named a guided missile destroyer after her.

Trust me when I say you will never be this badass, bro.

So the next time you see something like this:

and you think that girls can’t code, just remember girls invented coding. And invented the tools that finally let softies like you play at being programmers. They did the heavy lifting so programming could be easy enough for noobs like you.

“We are not given a good life or a bad life.”

I haven’t been writing much here lately, because Eve and I have been hard at work writing our book about polyamory. At 160,000 words, it’s well north of the New Testament and a bit north of The Two Towers in size. It turns out polyamory is complicated, and we have a lot to say about it.

However, I’m taking a break from writing about polyamory because I’ve started seeing this meme pop up all over the Internetverse, and it’s reached the point where I have to say something about it. I think it’s symptomatic of the problem of privilege.

I get what it’s trying to say. Really, I do.

But it’s wrong.

Yes, some people are given a bad life or a good life. We do not all start from a neutral place. Take this kid, for example. He would, I’m sure, be quite happy to have been given a life that was neither bad nor good:

This photo, by South African news photographer Kevin Carter, won a Pulitzer Prize. It documents the effects of famine in Sudan, in which more than 70,000 people died. Carter later committed suicide; in his suicide note, he wrote, “I am haunted by the vivid memories of killings and corpses and anger and pain…of starving or wounded children, of trigger-happy madmen, often police, of killer executioners.”

Look at this kid. Then look at wealthy heiress Paris Hilton, out doing what she does best (which is, near as I can tell, “getting photographed partying”):

Then look back at the slave labor camps in North Korea, which are used to punish political dissidents “to the third generation.” People are born in these slave camps, grow up, and die (often of torture, beatings, or starvation) here, without ever knowing anything else.

The meme might more accurately say “white middle-class Westerners born into progressive democracies are not given a good life or a bad life.” But to be fair, perhaps that’s what’s meant by “we.”

For those who aren’t white middle-class Westerners in progressive democracies, there most definitely are good lives and bad. Not all lives have the same opportunity for choice and direction. Not everyone can choose to better their conditions; those born into North Korean Labor Camp 15, which is believed to hold as many as 30,000 slaves, certainly can’t.

Like I said, I get the point of the meme. I am a huge believer in empowerment myself; I have written a great deal about how the choices we make affect our lives, for good or ill.

But I also recognize that, to a large extent, this is a privilege–one that should properly belong to everyone, but doesn’t. Not everyone can choose to make their lives good or bad. The way we’re born matters; Paris Hilton can shrug off bad choices that would destroy many people who are born into a less privileged position, and just keep on keepin’ on.

Yes, make choices that make your life better. Yes, move in the direction of greatest courage. But when you do, don’t forget to be grateful that you can. It’s not your fault that people are born into situations horrifying beyond anything you can imagine, but it’s your responsibility to acknowledge that not everyone is in the same position as you are. Some people are given a bad life. If you’re not one of them, you’re fortunate, but don’t forget they exist.

And if your response is “lighten up, it’s just a Facebook meme!”–perhaps you aren’t paying attention.

Rant Part II: How Not To Be a Dick To Women

With all the pushback on (and off) the Internet to any suggestion that perhaps men could maybe refrain from treating women poorly, one might get the impression that we were talking about, say, taking all the money the NFL normally makes in a year and investing it in fusion power research or something equally unreasonable. How, the thinking seems to be, can men reasonably be expected to act like decent human beings toward women when we have all these throbbing biological urges? I mean, what if we see a woman, who’s, like, totally hot? Surely acting like a decent human being doesn’t have to apply to women who are totally hot, does it? If we treat a totally hot woman like a human being, how will she know we want to put our pee-pee in her sex burrow? And what about women who don’t make Mister Happy happy…if we treat them like human beings, how will they know we don’t find them attractive?

It’s madness! I mean, really. Treat women as people? All of them? Without constantly getting all up in their faces about whether we want to sex them or not? That’s just…it’s just…it…

…well, it turns out it’s really not that hard to do.

Listen, guys, here it is. You just…think of her like she’s a person. Someone who’s a friend, even. And then you act accordingly.

Listen, I know it sounds totes whack. It goes against everything we’re taught to believe about maximizing our chances of getting to do that thing with our pee-pees. But bear with me. All it takes is a little practice, and then you, too, might be a guy who’s a decent human being and totally not a complete shitcamel.

Let me walk you through some scenarios, so you can get a feel for how this works.

Scenario 1: You’re approaching a door. There are people behind you.

If you hold the door open for people, congratulations! You’re a decent person.

If you hold the door open for women, but not for men, danger! You’re probably a misogynist.

If you hold the door only for women you want to put your pee-pee on, guess what? You’re a shitcamel.

Scenario 2: You’re on an online dating site. You spend six hours pouring your heart out in a carefully crafted message to this cute little something something whose soulful eyes make you think she could be the light of your life, and whose big bazoongas make you want to do that thing with your pee-pee. After you send it, she doesn’t email you back.

If you just go about the rest of your life, go you! You’re a decent person.

If you write her a follow-up email telling her that she owes you a response, uh-oh. Misogyny ho!

If you send her a follow-up email filled with (a) every swear word at your disposal, (b) vivid descriptions of what a bitch she is for wounding you so grievously, (3) angry rants about what unpleasant fate should befall her, or (4) pictures of your junk, I’m afraid the prognosis is: shitcamel.

Scenario 3: You see a woman talking about how creepy it is to hit on women in elevators.

If you listen respectfully and adjust your behavior and expectations accordingly, woohoo! You’re a decent person.

If you respond with a defensive lecture about how you’re totally not one of those guys and she’s just trying to say that all men are rapists, I’m sorry to have to tell you this, but that that’s your misogyny.

If you go on a rant about how she’s totally saying all men are rapists and she deserves to be raped for it…well, there’s only one mathematical equation that accurately models your reaction. You = shit + camel.

Scenario 4: Women are talking about how linking birth control to employment insurance policies basically means their boss gets to tell them how to have sex. You:

…listen to what they’re saying, think about it, and realize that, actually, it is pretty messed up that the person who hires you gets to tell you how the insurance benefits you earn as part of your labor should be used, and having an employer making your decisions in the bedroom is kind of creepy. Go you! Decent person!

…say “well, you know, the employer is paying for this insurance, so the employer controls how it’s used.” Wait, what? The employer is paying a salary too, does that mean the employer gets a vote on what you buy on Amazon.com? Bzzt. Your misogyny is showing.

…say “well, you know, that slut can just pay for it herself if she wants to go slutting around.” Hello, shitcamel! One hump or two?

Scenario 5: You’re out chilling with the boys, and someone tells this absolutely hysterical rape joke. It’s funny because she is violated against her will! Get it? Get it?

You put on your best blank “no, I don’t get it” face, turn to your friend, and say “No, I don’t get it. What’s funny about women being violated again?” Score one for being a decent person! Extra special decent person points if you deliberately construct a social group of people who already get why that shit ain’t funny.

You don’t say anything. After all, if you don’t laugh, that means you’re not like those guys, right? Bzzt! Wrong. If you just sit there, they might assume you’re a little slow, but hey, you’re still just like they are. Sorry, your misogyny (and privilege) are showing.

You laugh, because nothing is as absolutely hysterical as talking about women getting violated! Plus, when those feminist harpies start shrieking about how uncool it is, you get exasperated because clearly they just don’t get it. For God’s sake, it’s only a joke! Free speech! Free speech! Heigh-ho, shitcamel! What’s your camel-made-of-shit encore, putting on blackface and joking about Negroes wanting the vote or something? They’re all just jokes, right? Free speech!

Some thoughts on privilege: Look, it isn’t about your guilt.

I participate in a lot of online forums about polyamory. It’s almost impossible to talk about polyamory without eventually talking about OK Cupid, which is arguably one of the best places online for poly folks to meet each other (I met my live-in partner zaiah there). And it’s almost impossible to talk about OK Cupid without talking about how often women tend to get harassed on online dating sites. Any online dating sites.

And, it’s almost impossible to talk about how often women get harassed, on dating sites or anywhere else, without a whole succession of men trotting up to say “well, I personally don’t harass women! Women act like all men are harassers! I’m totally not like that, and I don’t understand why women don’t talk to me online! I totally deserve to have women talk to me online! If I spend my time writing an email to some woman online I am entitled to a response, even if she doesn’t want to date me!”

And, of course, from there it’s just a short hop to talking about male privilege, and as soon as that happens, inevitably those same men trot up again to say “this talk of privilege is just a way to try to make me feel guilty!”

And I gotta say: Guilt? Seriously? You think it’s about guilt?

Guilt is for things you can control. Feeling guilty over things you can’t control, like the race or sex you were born with, is silly.

If you think talking about privilege is about making people feel guilty, you’re completely missing the point.

It’s about being a decent person.

People who are privileged may still struggle, may not always get what they want, but the whole point is they have a lot of advantages over other people. Advantages they can’t see. Advantages they don’t know about.

Talking about privilege is about awareness, not guilt. When people don’t know about the advantages they have, they act in messed-up ways that show insensitivity to others. Like, for example, telling women who experience harassment on a scale that men can’t even understand how they should feel about it, what they should do about it, and why they should, like, totes respond to ME because I’M not like that! I’M not one of those entitled jerks, and therefore I DESERVE a reply!

The purpose of understanding your privilege isn’t to make you feel something. Not guilt, not shame, not anything else. It’s to help you understand that you have a set of things you take for granted that other people don’t have, so that you can change the way you act.

Got nothing to do with feelings at all.

Change the way you act in small ways. Like, not telling women how they should feel about sexual harassment. Like, not telling inner-city blacks that the police are their friends. Like, listening when women talk abut harassment, instead of just saying “oh, you’re saying all men are harassers.” (Hint: No, they’re not.) Or saying something like “well, I just don’t see color.” (Hint: Not seeing color is something you can only do if you happen to be the privileged color. When you belong to an oppressed minority, you don’t get the luxury of not seeing your status.)

Change the way you act in medium ways. Like, if you are a man with a normal social circle, statistically you probably know at least three harassers and at least one rapist. Seriously. So, when you’re with a group of your friends and someone makes a racial joke or a rape joke or talks about how women are bitches or whatever, speak up. Remember, if you don’t say anything, those harassers and that rapist in your social circle–and yes, they are there, even if you don’t know who they are–assume you’re on their side and think the way they do.

When people make cracks about sending a woman into the kitchen to make a sandwich, or talk about how they’d sure like to get that hot chick drunk and bend her over the table, speak up. Say it isn’t cool.

Yeah, it’s uncomfortable to speak up when all your friends are yee-hawing and back-slapping about how absolutely hysterical that rape joke was. Deal with it. The discomfort you face speaking up ain’t nothing on the discomfort women face just walking down the goddamn street.

Change the way you act in large ways. Don’t vote for political candidates who talk about how only lazy blacks are on welfare or blab about “legitimate rape.”

People aren’t telling you you’re privileged to make you feel guilty. People are telling you you’re privileged because privilege is a system and an institution that benefits you and that you participate in without even knowing it. When you know about it, maybe you can stop participating in it. Maybe, if you’re brave and willing to pull on your big-boy pants, you can even put yourself on the map against it when the folks around you are participating in it.

On Feminism and Getting Laid

A little while ago, I wrote a blog post called Some Thoughts on Rape Culture.

Every time I write a blog post like this, as sure as night follows day, the same thing happens. Invariably, I will get at least one, and sometimes several, private emails in my inbox. The content of these emails is always the same, and they’re rarely stated in the blog comments. Every time, they’re some variant on the same theme:

That must be working pretty good for you, huh? Pretending to be a feminist must really get you laid.

This has happened for years, and this last blog post was no exception.

I’m not quite sure what to make of the assumption that a man who espouses feminist values must be using it as a ploy to get sex. The first time I encountered this, it was quite a head-scratcher, I must confess. Really? I thought. That’s your take-away? I am pretending to support values and ideals about women’s agency because I’m trying to score sex from feminists? Seriously?

Now, in all fairness, if you look at all my partners, it’s very unlikely I would be involved with them if I weren’t a “feminist man,” or, as I like to call it, “a man who thinks women are people.” I have simple tastes; I prefer strong, smart, confident women, and those tend–surprise!–to be women who like being treated as people.

But here’s the thing.

The fact that these women would only be likely to get involved with a man who respects the ideals of feminism doesn’t mean that they’d get involved with every guy who respects those ideals. Treating women as people is necessary but not sufficient; if you treat women as people, that doesn’t guarantee you’ll be involved with them, but if you don’t, you won’t. Yes, in order to have sex with my partners, you have to be a dude who’s a feminist. You also have to be a dude who they think is worth having sex with, and you can’t fake your way into that.

So as a strategy for getting laid, adopting feminist ideals is, by itself, kinda rubbish.

And pretending to adopt feminist ideals is even more rubbish.

I don’t quite get what’s going on in the head of some guy who thinks pretending to be feminist is a ploy to get laid, but I have to assume that a guy who thinks that, probably doesn’t think women are very smart. If someone pretends to think women are people, but doesn’t actually think women are people, I suspect the ploy would be revealed rather quickly. Probably some time between appetizers and the main course, and certainly well before any clothes come off. I really don’t think it’s possible to pretend to be feminist, at least not for any length of time longer than a dinner conversation.

I don’t say that rape culture is a thing because I’m hoping to get laid by women who say that rape culture is a thing. I don’t think women deserve agency and personal autonomy as a tactic to try to get them to use their agency and personal autonomy to fuck me. I mean, seriously, what the fuck? How is it that someone might seriously think that being nice to feminists is a strategy for getting laid? Is it because he thinks feminists are so well-known for…um, having sex with any guy who’s nice to them?

If I were to advocate some kind of duplicitous scheme to get more sex, I would definitely recommend “learn to swing dance” over “pretend to be a feminist.” It certainly seems far more likely to succeed. Pretending to be a feminist when you really don’t think of women as real people, just to try to get in the pants of women who want to be treated like real people, is just…it…I just…what is this I don’t even.

Some thoughts on rape culture

A couple of days ago, someone on a (closed) Facebook group I belong to posted a link to a blog post about rape culture.

And, predictably, one of the first comments to that link was along the lines of “this is just another attempt to say that male sexuality is bad.”

It doesn’t even really matter where the linked blog post is (though if you’re interested, it’s here); the “you’re just demonizing men” reaction comes up on any conversation I’ve ever seen about rape culture, as sure as night follows day. And it’s annoying.

It seems to me that if that’s your take-away from discussions about rape culture, you aren’t paying attention.

Male sexuality is not inherently evil, and acknowledging that rape culture is a thing isn’t the same as “demonizing male sexuality.” This seems obvious to me, yet it’s a persistent trope: saying that we have a culture that normalizes, trivializes, and to a large extent even excuses sexual violence is conflated with demonizing male sexuality, as if, I don’t know, male sexuality were somehow inextricably tied to rape or something.


I personally have never met any women who believe that male sexuality is tied to rape, though I keep hearing from other men about that’s what “feminists think”.

When I see a trope become that deeply embedded in a conversation about something, I tend to wonder who it benefits. I definitely think there are men who benefit from this trope. There are some men who want to conflate “discussing the cultural component of sexual violence” with “demonizing all male sexuality.” These men want you to read articles like the blog post that led to all this and respond with “you’re saying men are evil! You’re saying all men are rapists!” That’s the interpretation they want you to have.

There are two kinds of men who want you to have that response: rapists, and men who want power over women.


Not all men are rapists.

There is, for some people, a knee-jerk response to any conversation about rape culture that goes “You just think all men are rapists!” That isn’t what this (and articles like it) say. What they say is that women have to act like all men are potentially rapists, because rapists don’t wear a special hat or have a special handshake or anything.

A strange man is probably not a rapist, but he might be. Since there’s no telltale signal that lets you tell a rapist from a not-rapist, women have to assume that a stranger could potentially be a rapist, simply out of self-preservation. A common analogy here is that not every strange dog will bite you, but it’s usually a good idea not to approach every strange dog you see with reckless abandon–because some of them might bite you, and you have no way of telling which.

Rapists and men who want power over women are quite pleased when people deflect conversations about rape culture with “you’re just saying male sexuality is evil,” because it shuts down conversation about the reality of rape culture…and that suits them just fine. It allows things to continue on exactly as they are–which is to say, allows society to continue blaming victims of rape for their own attacks (“did you see what she was wearing??!), allows rape victims who come forward to continue being disbelieved, allows the courts to continue under-prosecuting rape.

All of this serves the needs of men who rape and men who want to control women, and the only side effect (other than the fact that, y’know, women are marginalized) is that some men are treated like they might possibly be a rapist.

You’re a guy, and you don’t like it? You don’t like the idea that women who don’t know you might respond as though you are a potential rapist, even though that’s something you would never, ever, do? Do something about it! Do something to make our society less welcoming to rapists. Don’t trivialize rape. Don’t whine “but what about false accusations?” when women talk about how claims of rape are rarely taken seriously. Don’t treat tape as a punch line.

Look, this is not rocket science. If you’re a guy, you have a disproportionate amount of power, even if you personally don’t feel like it’s true. It’s not enough to say “Well, I’m not a rapist, and I don’t trivialize rape, so I don’t like it when women treat me like I might be a rapist!” You have to do more. You have to stand up to the people around you who do trivialize rape. You have to stand up to people who are rapists–yes, I’m talking to you, and yes, statistically, unless you live as a hermit in a one-room cabin in Montana you probably know at least one rapist in your social circle. Even if you don’t know who he is.

You don’t like the implications of discussing rape culture? Don’t dismiss those discussions; that doesn’t serve anyone except rapists. Do something about it.