Call to the Lazyweb

Since I have a diverse flist and I know a lot of you have all kinds of interesting skills and knowledge, and since I’m swamped with work at the moment and don’t have time to do the research…

Anyone see any inherent problems with using sex toys made of pure silver? As in, safety or health issues surrounding silver dildos or other insertables?

Security is hard…

So I’m a regular reader, and contributor, to the MacFixit forums, technical computer troubleshooting forums for Mac users that are part of the larger MacFixIt Web site.

MacFixIt is a very large, highly active Macintosh troubleshooting site. It offers articles, advice, commentary, and tips for all things Macintosh. Among other things, it announces new Apple security updates, and recommends that users keep on top of security patches. Good advice, right?


The forums at MacFixIt run on Web forum software called UBB.threads. To be specific, they run on UBB.threads version 6.0.2, released in 2002.

Now, let’s think about that for a second.

A large, busy Web site–a Web site dedicated to, among other things, information about computer security updates–is running forum software it has not updated since 2002. I bet some folks will already be able to tell where this story is going.

Yesterday, I logged on to the forums to discover that the forum topics and message board lists had been replaced with long lists of racial epithets. A quick Google search turned up a security advisory dating back to 2005, or three years ago, reporting that versions of UBB.threads prior to 6.5.2 had a really, really big number of really, really serious security problems, including cross-site scripting vulnerabilities, SQL injection vulnerabilities1, and parameter inclusion vulnerabilities.

Turns out versions prior to 6.5.3 also have a posting vulnerability that can yield up complete control of the Web server to a malicious user.

Now, these are just the vulnerabilities that have been known and documented, and reported by UBB.threads itself, in the last three years. Even more recent versions still have some pretty significant vulnerabilities.

The current version, just for the record, is 7.2.

So I fired off an email to the administrator of the MacFixit forums, and for the last day and a half the forums have been “down for maintenance.”


Egg, meet face. How in the name of God, in this day and age, does anyone who runs any kind of sophisticated server software on the Internet not keep on top of security updates? For six years?

1 And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.

Including you, Microsoft.

Rape fantasy and resistance play

Note: This is part 7 of an occasional ongoing "how to" series on BDSM.

Part 1 of the series, How to Tie a Rope Harness Part I, is here.
Part 2 of the series, How to Tie a Frog Tie, is here.
Part 3 of the series, How to Tie a Shinju, is here.
Part 4 of the series, How to Make a Custom Dildo out of Ice, is here.

Part 5 of the series, How to Make a Spikey Decorative Collar, is here.
Part 6 of the series, Theory and Practice of Ginger Figging, is here.

As you can probably figure out, most of these tutorials are really, really not work-safe.

This particular tutorial is not in any way work-safe, photographically or in text. It covers a topic that is both very common and yet at the same time triggering for a lot of people: rape fantasy. It covers communication, negotiation, and some starter scenarios, if this is the sort of thing you might like to try. If it sounds like it’s up your alley, clicky the link!


Some thoughts on computer security and credulity

So recently Business Week magazine ran an article about keylogger software being used in espionage. Essentially, defense contractors are being tricked into infecting their computers with keylogger malware, sent in targeted emails that appear to come from the Pentagon and other governmental sources.

The thing I find interesting about this, and also about things like the Storm and Kraken worms, is that they don’t take advantage of security flaws or vulnerabilities. They don’t attack holes in a computer’s operating system or applications, and they don’t rely on technical exploits of programming errors. These attacks all rely on tricking the victim into deliberately, intentionally infecting himself.

For that reason, I don’t think there’s a technological solution. The solution to a human gullibility problem isn’t in better programming or more elaborate firewalls; it’s in user education. No matter how sophisticated and bulletproof a security system is, there’s no defense against a person who deliberately chooses to permit someone through it.

But when it comes to the Intertubes, folks don’t get that.

If we had a situation where a criminal walked into a bank and, without weapons or violence, tricked a security guard into opening the vault for him and handing him all the money inside, we would not say “Oh, we need to build bigger vaults with thicker doors and more complicated locks!” It’s obvious to anyone who thinks about something like that that a bigger door or thicker walls won’t prevent someone from tricking a gullible guard into unlocking the door.

Yet with computer malware, we tend to jump on technological solutions. Someone in China tricks an American defense contractor into deliberately installing a key logger on his computer, and everyone says “We need tighter computer security and more computer defenses.” Which is as pointless and ineffectual as saying “we need thicker bank vault walls” if someone persuades the guard to intentionally, deliberately unlock the vault door and hand him the money.

What we need isn’t better computer security; better computer security will not and can not address this kind of problem. What we need is less gullible people.

A few weeks back, someone posted an ad on Craigslist saying that they were moving suddenly and they needed to get rid of everything in their house, including their horse. They said that the house would be unlocked and anyone who wanted to could come and take anything they liked. Hundreds of people showed up and ransacked the house, even taking light fixtures and plumbing fixtures.

Needless to say, the Craigslist ad was bogus. Some people had robbed the house earlier, then posted the ad to conceal the evidence of their robbery.

Of course, the police showed up, but what was most interesting was how indignant the folks who ransacked the house were. They were angry and upset that the police tried to stop them. Many of them waved printouts of the Craigslist ad around, as if it justified what they were doing. They genuinely, sincerely believed that the ad on Craigslist meant they were doing nothing wrong.

That’s the mentality a lot of folks–including folks who ought to know better, including defense contractors–have. They truly believe that if an email says it is from someone they know and they should download and run the attached program, it must be OK to do. They sincerely think that if they see it in an email, it can not possibly be false. And that gulllibility makes them easy to dupe.

These are not idiots. If a person walked up to them on a street and said “I live at 423 Main Street but I have to move in a hurry, so go into that house and take anything you like,” they’d be like “Yeah, right.” If someone walked into their office and said “I’m from the pentagon, take this CD and run the program that’s on it,” they’d never in a million years do it.

But because it’s on the Intertubes, somehow it gets past their bullshit filters, and they suspend their ordinary skepticism. And I think that’s really, really interesting.

One of my all-time favorite books is Why People Believe Weird Things: Pseudoscience, Superstition, and Other Confusions of Our Time, by Michael Shermer, who’s one of my personal heroes. I met him briefly at a science fiction convention last October, and he’s just as amazing in person as he is in print.

One of the things he talks about, and one of the things I’ve written about as well, is the idea of the brain as a “belief engine,” a tool for forming beliefs about the physical world. As a tool for survival, the brain works amazingly well, but survival pressures have tended to shape and mold it in such a way that its default state is to accept ideas uncritically rather than reject them. For our early hunter-gatherer ancestors, the consequences of accepting a false belief (“keeping this magic stone in my pocket will help me ward off evil spirits”) were generally less dire than the consequences of rejecting true beliefs (“a leopard is dangerous to me,” “keeping upwind of my prey will cause my prey to escape more often”), and so we have developed these amazing brains that find it much easier to accept than to reject ideas.

On top of that, our brains are so highly optimized for efficient and rapid pattern recognition that they can tend to see patterns even where none exist (“when I updated to OS X 10.4.11, my hard drive failed; the update was responsible for the failure”).

I wrote an essay about the belief engine a while back. I think that it applies to things like Internet hoaxes and Trojan-horse malware in part because we are wired by selective adaptation to accept ideas uncritically, but we are also taught from a young age when that kind of uncritical acceptance is dangerous.

Everyone (well, almost everyone) learns from an early age not to trust strangers. So if a stranger stopped us on the street and said “I live in the house at the end of the block but I have to leave, so walk on in and take whatever you like,” there’s no way we’d believe him. But we aren’t taught to distrust the Internet.

To make matters worse, I think the Internet confuses people by messing with the signs we have been taught to accept to mark trustworthy people and institutions. We are taught to separate folks within our sphere of trust from folks outside of it, but we are not taught that this trust doesn’t extend to the Internet.

So, for example, most of us trust our mothers. If we receive an email and it’s got Mom’s “from” address on it and claims to be a greeting card, we’ll likely download it and run it without a second thought, because we trust Mom. What we haven’t been taught is not to trust the From: address on any email. People don’t realize how easily that is faked; the email is trusted because it bears the mark of being from a person inside our sphere of trust, but that mark itself is untrustworthy.

Same deal for a defense contractor who receives an email that claims to be from his Pentagon contact. Because the email carries a mark of a person inside the sphere of trust, the email is accepted.

Phishing scams rely on that, too. We mostly trust our banks, and we are familiar with what our bank Web site looks like. So we associate things like the bank’s logo and the bank’s Web site layout, which are familiar and comforting, with that feeling of trust. We so strongly associate things like the bank’s logo witht he bank itself that just the appearance of the bank’s logo can make whatever it’s attached to seem trustworthy.

In contemporary society, this is intentional; businesses do a lot of work and spend a lot of money to associate things like logos with the business, and to attach the logo to our emotional response. But what that means is the logo and the familiarity of the Web site layout make us trust the fraudulent phishing site. These things are more important than, say, the padlock that shows a secure connection, or the URL of the site, because we have not been taught about those things but we have been taught to associate the logo with our feelings of trust in the bank, so that makes us fall for the scam Web sites, and we voluntarily turn over information that otherwise we would be unlikely to give to anyone.

So again what happens is that we see the Internet as a technological construction, and we seek technological solutions to security problems, when perhaps it might be more effective to see the Internet as a social construct, and teach people “never trust an email from anyone” or “never trust a Web site that does not show a padlock on it” the same way we teach people “don’t talk to strangers” and “don’t give your bank account number to people you don’t know.”

I’m not saying there’s no need for technological security, mind you. There are still folks who exploit technical flaws in computers, or who attack computers using technical attacks like DNS cache poisoning or DNS rebinding attacks. Securing computer networks is still a necessary thing to do, and on that score the Internet as it now exists gets pretty dismal marks.

But what gives the Internet its power is the way people use it, not the hardware that makes it up. It is a social construct; it’s essentially nothing more than a communication medium. And any time you have communication, you have the potential for cons and fraud. I really do think that we have not yet, as a society, learned to extend the same degree of distrust to the Internet as we have to things in “real life,” and as a result the natural tendency for us to believe rather than disbelieve is easily exploited on the Internet.

Frolicon, and some thoughts on BDSM

About three weekends ago, figment_j and dayo came down to visit for Frolicon, a BDSM/alternative sexuality convention here in Atlanta. Now, you might think that sounds like a lot of fun…and you’d be right. We met up with datan0de and femetal, and more than a few good times were had by all.

Now, in some ways I think that my own approach to BDSM–or at least the things bout BDSM that draw me to it–are a little unusual, at least in comparison to what I see in others. I’ll get to that in a minute. First, some notes about the con itself.

Which was a blast.

lolitasir gave a demo workshop on fisting, which is one hell of an awesome way to start a weekend. Some how datan0de–at least I think it was him, it may have been one of his clones–ended up being drafted into the demo, playing the part of “lube boy.” And, all in all, there are worse positions to be in. Especially considering it is, y’know, a great way to get up close and personal with a woman writhing in ecstasy, which is always fun.

I also learned to put in a pair of contact lenses. I have a set of contacts that looks like cyborg eyes, and I swear, I have no idea how you folks who wear these damn things all the time do it so easily. Half an hour of working and swearing, it took, just to get them in, and another half an hour to get them back out again.

Lots of panels (and dayo taught me a really cool no-knot two-column tie I’ll be putting up on Symtoys at some point), lots of sushi. Going out for sushi straight from the con, in fetishwear and the whole bit, was fun.

And, of course, lots of play parties.

I had the opportunity to play with dayo and figment_j at the same time, and that by itself was a tremendous amount of fun. Play with each of them is effortless and tends to flow very well, and the three of us together have that same dynamic. figment_j and I had the pleasure of co-topping dayo, with floggers and crops and knives, oh my… After the fisting, it was time for us to turn our attention to figment_j, which is where I really noticed that my style of play, even at play parties, isn’t the same as many of the other people I see play.

I first played with figment_j in a public play party last year. One of the things that I found with her, and one of the things that delights me a great deal about her, is her fearlessness when it comes to exposing herself emotionally. The two of us seem to have a very natural kind of unspoken language when we play, that extends far beyond the physical things we do.

It’s been my observation that many of the people I’ve watched play in public are willing to expose their bodies for whatever scenarios they and their partners create, but are less willing to expose their emotional selves. And certainly in a situation where a person is playing casually, especially with a new partner, that makes sense.

But one of the things that most delights me about figment_j is how easily and readily she makes herself emotionally vulnerable, and how effortlessly we carve out a very private space even when we’re surrounded by people. It was fun to see how that private space expanded to include dayo, too.

I’ve experienced the same thing with dayo, and it does seem to me that this kind of intimacy is not the norm in public play spaces. It takes, I think, a very particular kind of courage to play that way.

Later, when figment_j and I were talking about it, she was expressing frustration that she can’t do the kind of edgy physical play that she’s seen other people do. There was, for example, a person being whipped with singletails at the same time as we were playing–something that’s definitely a nontrivial kind of scene.

I think, though, that the best measure of an activity is in how the people involved respond to it, and in the psychological environment it creates, rather than in the nature of the physical activities, or the amount of bruises it leaves. (Don’t get me wrong; I love leaving marks on my partners, oh yes. Bu that’s not the measure of the quality of the encounter, not by a long shot.)

I get quite a lot of email from my BDSM pages every month, and one common theme I’ve seen in a lot of the email is people saying “I’ve heard of [insert some kind of activity here], and I just don’t see myself getting into that–I’m worried that I’m not a ‘good’ submissive.”

I think that kind of idea can be especially easy to fall into at a play party, where you might be exposed to a wide range of different activities–singletail play, knife play, piercing play, needle play–I’ve even watched people doing fire play at a play party (sans fire extinguisher, which kind of ticked me off, but that’s a whole different issue altogether). Since it’s easier to see the physical side of the things going on than it is to see the emotional side, I think the tendency exists to say ‘So that’s what BDDSM is all about; I don’t want to do those things; that must mean I’m not really doing it right.’

But for me, the stuff that happens behind my partner’s eyes is the interesting stuff. The various techniques that get us there are more or less irrelevant; they’re just the path to the destination. It’s the destination itself, not the road you take to get there, that matters.

And I do realize that approach is somewhat unusual. For many people I’ve talked to, it’s the activities themselves that matter. And, yes, I do get that, too. Being flogged, for example, just plain feels good–in fact, I’ve seen people reach orgasm just from a flogging alone. For many people, in the right context and with the right partner, things that are painful become intensely pleasurable. And that’s totally cool. I like getting my partner off; I like doing things that my partner likes.

But I also like creating that shared emotional vulnerability while we’re at it. That, for me, extends the activity beyond physical pleasure, into a much more emotionally charged space. It creates a physical and emotional dance that, properly done, really lets you see right into your partner’s soul.

And I dig that.

Bizarre email of the day

In today’s mailbox:

From: <deleted>
Subject: How dare you!
Date: April 10, 2008 1:48:10 PM EDT

Yea how dare you attack Scientology like that!

You obviously know absolutely nothing about the religion or the practices contained within.

It is not a bizarre anything it is a practical way of dealing with life and your own personal situations.

You are fucking idiot!

*blink* *blink* No attached pictures of flying saucers, though. I’m not quite sure what triggered this email; I don’t recall saying anything about Scientology any time recently…