Author Archives: tacit

Apple vs the FBI: Whoever wins, it’s a mess

Posted on by
Reply

Apple and the FBI. It’s the Rock ‘Em Sock ‘Em Robots fight that the movie Alien vs Predator should have been, but unlike Alien vs Predator, this one so far has failed to disappoint.

On one side, we have a giant tech megacorp that makes cellphones. Also other stuff, I hear, but these days mostly cellphones. On the other, we have the full force and might of the United States Government, in the form of the Federal Bureau of Investigation. In between, we have: Terrorists! Encryption! Civil liberties! Donald Trump spouting off!

The Internet is filled with conversations about the spat, much of which are either not technically correct or overtly technical. It’s my goal here to try to explain a very complex situation in a way that doesn’t require a high level of technical mastery. However, this is a technical issue, so there will be some geeky bits.

The Background

Last year, a couple of assholes named Syed Rizwan Farook and Tashfeen Malik decided they were going to express religion of peace by blowing away a bunch of people in San Bernardino, California. They decided, you see, that something something holy war something martyr God, and something something kill people whatever…I don’t know or particularly care about the details, and they’re not really relevant here. So far, so boring: some yahoos think there’s an invisible dude in the sky who wants them to kill some other people, it all ends in tears–a story that’s been playing out with minor unimportant variations since the dawn of civilization. The FBI investigated and decided they were “homegrown extremists” (no idea if they were organic or GMO-free) and not affiliated with any other terrorist groups or cells.

This is the part where things get interesting.

During the investigation, the FBI discovered that the yahoos had Android smartphones, which they destroyed prior to going on their rampage of murderous idiocy, and that one of them had an iPhone 5C provided by the company he worked for.

This is the logic board from an iPhone 5c. Like all iPhones, the user data on an iPhone 5c is encrypted. You need to unlock the phone in order to get at its contents. By default, the phone is locked with a 4-digit numeric code. If you don’t enter the code, the phone’s contents remain encrypted.

You can’t just read the information from the phone’s flash memory, because it’s encrypted. The FBI wants to read the contents of the phone, for reasons that aren’t clear to me (if there was anything sensitive on it, it’s hard to imagine he wouldn’t have smashed the phone before running off to kill people who had nothing to do with whatever grudge he imagined his invisible sky-man carried, like he did with his other phones), but whatever.

The FBI tried to read the phone’s contents, and discovered that the iPhone is actually rather secure. If you want to know the full details of how secure, there’s a PDF on Apple’s iPhone security here.

So they went to Apple.

This is where things get really interesting, and a lot of the conversation about the situation gets some important facts wrong.

The Problem

The iPhone’s files and such are encrypted. This is not simple home-grown encryption, either; it’s military-grade 256-bit AES encryption. It can not be defeated by any known attack. All the world’s computers combined would take about a billion years to brute-force the encryption, which is a bit more time than the FBI prefers to spend on this.

Now, there are some important things to understand here.

One is that nobody can break the encryption, not even Apple. Apple has no secret back doors or master passkeys to get at the contents of a locked phone, and that’s not (exactly) what the FBI is asking them to do.

The other is that the four-digit code you type into an iPhone is not the encryption key. The encryption key is made up of a secret, random number embedded into each phone at the moment of manufacture, combined with the passcode you set by means of some arcane mathematics that are beyond the scope of this blog post. Apple does not know the encryption key; they do not have a way to set the unique hardware number, and in any event it’s all tangled up with the passcode the user enters in order to create the encryption key anyway.

So here’s where things sit: The phone’s contents are encrypted. The FBI wants access to the phone for whatever reason. Apple can’t decrypt the phone. So what’s the deal?

The Tussle

The fact that the phone in question is an iPhone 5c is really, really important. If it had been a 5S or a 6, it wouldn’t matter, because Apple made a change in the inner workings of the later phones to prevent it from being asked to do precisely what it’s being asked to do.

So, here’s how it works.

iPhones run an operating system called iOS. iOS is digitally signed; that means Apple has a secret encryption key it embeds into iOS. The phone carries a special, immutable boot ROM that contains the decryption code for this key. If it starts to boot and sees an operating system not signed by Apple, or if the operating system is tampered with in any way, the phone refuses to boot. (This is different from and not related to jailbreaking an iPhone. Even a jailbroken phone will not boot a copy of iOS not signed by Apple.)

What does that mean? It means nobody on earth–literally–can make an operating system the phone will boot, except for Apple. If the FBI or anyone else tries to modify the iOS boot loader, the phone will not boot. Only Apple knows the key needed to change the iOS boot loader.

Now, a few other things you need to know about how an iPhone works.

If you type the wrong passcode into an iPhone, the phone lets you try again. If you get it wrong again, the phone lets you try again, but after that, things start getting harder. The phone starts introducing a delay before you can try again. That delay gets longer and longer the more you enter the wrong code. By the ninth time you enter the wrong code, the phone refuses to allow you to try again until an hour has passed.

There are 10,000 different possible combinations of four digits. If you can only try one per hour, it will take you more than a year to try them all. Good luck trying to brute force the passcode!

There’s another complication too. If you get it wrong 10 times, the phone wipes itself.

Here’s where the 5c thing gets important.

Starting with the iPhone 5S, Apple introduced the “Secure Enclave.” The Secure Enclave is a special chip (well, actually, it’s a special section of the processor chip) that has its own memory. It’s basically a tiny, highly secure, tamper-resistant computer.

The Secure Enclave keeps the phone’s decryption key in its own special memory and talks to the phone over a special-purposes, encrypted communication link. The rest of the phone does not know, or have access to, any information stored in the Secure Enclave.

When you enter the passcode, the phone sends the passcode to the Secure Enclave. The Secure Enclave says “yes” or “no” about whether the right code was entered. If the right code was entered, the Secure Enclave decrypts the phone. If it wasn’t, the Secure Enclave refuses to do so. It also starts a timer. While the timer is running, the Secure Enclave refuses to process any more passcode requests. That timer runs for longer and longer as you keep entering the wrong code. If you enter the wrong code 10 times, the Secure Enclave wipes the encryption key from its own memory and that’s it, you’re done. Trying to get at the phone’s contents after that means you’ll be banging away at it until the stars burn out.

But… This is not an iPhone 5S or later, it’s a 5c!

On the 5c, the time delay and wiping the phone are not handled by the Secure Enclave, they’re handled by the operating system. The operating system enforces the longer and longer delay and the operating system wipes the phone if you enter the wrong code 10 times.

The Secure Enclave is a bit of hardware that can’t be tampered with. But the operating system can be changed. So if you have an older iPhone, you could, in theory, put a different version of iOS on it. A special version, with the timer and the phone wipe disabled.

Except, oh no you can’t, because the phone will not run an operating system that isn’t signed by Apple.

So the FBI wants Apple to create a new version of iOS. A modified version that has no time delay if you get a wrong passcode and no phone wipe. And then they want Apple to sign it and put that new version of iOS onto the phone.

This will not give them the contents of the phone. What it will do is let them try passcode after passcode as fast as possible until they break in. Without a phone wipe, they can keep trying as many times as it takes. Without a delay, they can try all 10,000 combinations in days or weeks instead of years.

Of course, there’s an added wrinkle to all this. The FBI already has a copy of the phone’s data.

iPhones come with a subscription to Apple’s cloud service, iCloud. iPhone users can choose to have their data backed up to iCloud. The backup feature was turned on on this phone. The FBI asked for, and got, a copy of the phone’s data backed up on iCloud.

Unfortunately, the copy they got is out of date. They screwed up and asked the company that owns the phone to change the iCloud password in order to have a look at what was there. The company complied. The FBI looked at the iCloud backup. Then they turned on the iPhone. The iPhone couldn’t make a new backup to the cloud…because the password had been changed. The FBI thinks it’s possible there’s information on the phone that’s newer than the information in the cloud backup. They’re not sure, though, because…they can’t get into the phone.

The Rationalization

If an iPhone were a safety deposit box and Apple had the key, the government would normally just issue a subpoena for Apple to produce the key, assuming they didn’t just take a blowtorch to the box and be done with it.

But that’s not what the government has done here. They can’t subpoena Apple to produce the encryption key or the passcode because Apple does not have and can not get the encryption key or the passcode, and Apple has no magic backdoor.

So instead, they’ve turned to the All Writs Act of 1789, a law signed by this dude.

The All Writs Act is a law that allows the government to issue “all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.” Essentially, it lets Federal courts issue orders to private citizens in order to accomplish legal ends. A writ was originally a written order given by a monarch to a citizen compelling the citizen to do something. The way it’s used in the All Writs Act, it’s an order from a court compelling a citizen to do something.

Like, for example, write a new operating system. Because the court says so.

The All Writs Act was signed into law before the Bill of Rights existed. The Bill of Rights would seem to put some limits, at least, on what the government can order people to do. In this case, the FBI thinks that ordering a company to write a piece of software is within those limits.

It should be noted that this isn’t a matter of commenting out a few lines of code and hitting “compile.” There are, for good reason, legal guidelines that must be followed when writing investigatory forensic software. These legal guidelines are necessary to preserve the chain of evidence and show in court that the software didn’t modify the information on the device being investigated. The standards are fairly complex and are outlined on this page on the Digital Forensic Investigator Web site.

Basically, the gist of it is the software must be documented, must be subject to peer review, must be tested on target devices similar to the device being investigated to show that it works and won’t corrupt, delete, or modify information, and must pass independent judicial review of its reliability.

So basically, the FBI is asking Apple to go to considerable trouble to build a new operating system, test it, document it, submit it for examination, and load it onto an iPhone 5c, for the purpose of allowing the FBI to keep trying all 10,000 possible passcodes until they finally unlock it. They’re using a law written before the Bill of Rights existed that authorizes Federal courts to issue orders to private citizens to do this. Basically, the All Writs Act says “the government can order people to do any legal thing.” It has zero to say on the subject of what constitutes a “legal thing.”

The Real Battle

The FBI wants Apple to create a new version of its operating system, with certain key security features disabled, and load it onto the phone so that its passcode can be brute-force hacked and the contents read. They’re not asking Apple to decrypt the phone; Apple can’t do that. They’re not asking Apple to provide the passcode; Apple can’t do that either. They’re asking for a new operating system.

Would this new operating system allow them to get at any locked phone? No, it would not. iPhone 5s and later models have these security features in hardware, etched in silicon on the Secure Enclave. A new operating system can’t change that.

So what’s the big deal? Is Apple coddling terrorists, like the FBI director implies and Donald Trump spouts all over Twitter from his iPhone?

No. As with an argument between two lovers that ultimately ends in divorce, this fight is’t really about the stuff this fight is about. This fight isn’t about a work phone that used to belong to a terrorist asshole and probably contains fuckall of interest to the FBI. The terrorism angle is a convenient excuse, because the word “terrorism” is kind of magic spell that causes a whole lot of people (including, bizarrely, conservatives whose entire political philosophy is built on the foundation of distrusting the government) to take leave of their senses and do whatever they’re told.

But this fight isn’t about this phone.

Washington is afraid of encryption. Much as gun lovers and survivalists love to think Washington is afraid of their guns (which is laughable in its absurdity–the military has way more guns than you do, Tex), Washington is afraid of encryption.

This fight has been a very long time coming. The government has always hated and feared encryption, even as it has invested tremendous resources in making encryption better.

In the early 90s, the US passed laws banning export of encryption products. I still own a T-shirt that was legally classified as a “munition” back then, and that you could be arrested on Federal charges for wearing outside the US or showing to foreign nationals, because it’s printed with source code for encryption software. Finally, in 1996, Bill Clinton scrapped laws against exporting encryption software, largely because they were hurting US businesses overseas, and besides, the Russians already had strong crypto because–surprise!–they had mathematicians too.

The fear of the Russkies has faded into nothing–there’s an entire generation now old enough to read this blog post that grew up with the Cold War being something you read about in history books, not something you lived through. Now, the bogeyman du jour is terrorists, or maybe pedophiles, or hell, why not both?

Police don’t like locked phones and encrypted comms, and Congress has been wrestling with what to do about that for years.

The government has mulled banning strong encryption. Not just the US government, but every government. China wants to ban it. France just debated banning it. India is planning to ban it. The UK wants to ban it. Congress has considered banning it no fewer than three times in the last two years.

The arguments are always always the same: If people can talk without the government listening, the terrorists win. Or the pedophiles win. Or the pedophile terrorists win. Law enforcement can’t do its job without being able to see what’s on your smartphone, because reasons.

Apple argues that if the government succeeds in ordering it to write a new version of iOS to help them get onto this phone, they will feel free to order it to write other software for them as well. Write us software to let us turn on this suspect’s cell phone camera and microphone remotely! Write us software to make copies of this suspect’s email! No legal principle exists that would limit the authority of the government’s ability to order Apple to do things like this.

And that’s a nice, cuddly government filled with the milk of human kindness, like the US government believes the US government is. If Apple has the ability to do these things and can be compelled to do so, the Chinese will really like that. Apple argues that if the FBI succeeds, it will basically have to create a whole new software department–call it the Department of Undermining Our Security Department–to handle the flood of orders coming in to write custom software to disable this or that or the other security feature. And they might be right.

The government says nobody else will get this hacked iOS version (or versions, if other requests start rolling in). Apple says that’s naive. Hard to say what’s scarier, the FBI with rogue Apple-signed iOS software, the Chinese with rogue Apple-signed iOS software, or rogue Apple-signed iOS software leaking into the hands of organized crime.

There’s also the very real possibility that if the government has success here, sooner or later it will realize that a terrorist using an iPhone 6 will still be able to secure a phone in a way that neither Apple nor the government can do anything about, and start calling on Apple (and other companies) to weaken their encryption. The Secure Enclave with its hardware timer and self-vaporizing key is pretty damn secure. What happens if the government decides to tell Apple to tone things down a bit for the iPhone 7? That’s not impossible, and if Apple can be forced to write a new operating system to help law enforcement, changing the design of their chips to help law enforcement is a doddle.

Encryption is math. Math is math; math doesn’t care about bad guys or good guys or legal oversight. If there is a way to slip past an encryption method, that way works for everyone, good guys and bad guys alike, because math is math and math doesn’t care. If it works for the FBI, it works for Igor in the Russian mafia as well.

So that’s what’s going on, and that’s what’s at stake. It’s a problem that doesn’t readily boil down to sound bites or Tweets, and that means, I fear, that the public won’t really understand what’s happening until it’s been decided for them.

Email Spam Re-revisited: How “mainstream” email marketers promote spam

Posted on by
Reply

Email spam–defined here as “unwanted, unsolicited commercial email”–is big business, with spam emails producing millions of dollars in revenue for the larger spam kingpins. There’s a huge cost to this spam, though. Google has released a PDF on the economics of spam, that talks about how much cost spam emails externalize onto others. Spam filtering, for example, costs about $6 billion a year, and without it, email would be largely unusuable.

Spammers often try to justify their spamming by claiming that email advertising is necessary to keep Web content free. It’s true that advertising is a necessary component of the Web–I wouldn’t be able to pay for all my Web sites without it. But as the Google report says, spamming is not the same as this kind of advertising:

How does spam differ from legitimate advertising? If I enjoy watching network television, using a social networking site or checking stock quotes online, I know I will be subjected to advertisements, many of which may be irrelevant or even annoying to me. Google, Yahoo!, Microsoft, Facebook, and others provide valuable consumer services, such as social networking, news and email, supported entirely by advertising revenue. While people may resent advertising, most consumers accept that advertising is a price they pay for access to valuable content and services. By contrast, unsolicited commercial email imposes a negative externality on consumers without any market-mediated benefit, and without the opportunity to opt out.

The vast majority of spam operations are run by a handful of spammers, the so-called “ROKSO spammers,” extremely prolific email spammers (some of whom are affiliated with organized crime, like Leo “Badcow” Kuvayev, a person involved in spam, malware, fake pharmaceuticals, and child porn and now in prison) who are part of the Register of Known Spam Operations.

There are also a lot of affiliate marketing companies–companies who pay affiliates to promote products. Some of these companies also run email marketing. All of them claim to be opposed to spam. But many are perfectly willing to allow spam, even spam by big-time ROKSO spammers, because of simple economics: it makes money.

I’ve blogged about one of these ROKSO spammers and his connection with “mainstream” affiliate and email marketing companies before. I monitor spam from this person, largely because I get a vast quantity of it to various email addresses. And when I say vast, I mean it–as in 839 examples of spam email in the last 20 days alone.

This particular spammer has a pretty simple modus operandi. He signs up for affiliate codes with “mainstream” email marketers and affiliate sales companies and spams, spams, spams. He tends to go for certain kinds of affiliate accounts: fake diabetes “cures,” quack “heart attack prevention” nostrums, right-wing conspiracy books, weight-loss fad diets, woodworking plans, and “get paid to do surveys” scams are his forté.

He’s worked with a wide range of affiliate companies before: Clickbank, Flex Marketing, and Clickbooth most often.

His spam activities slowed for a while, but recently have redoubled. And this new salvo of spam activities features two affiliate companies in particular: Clickbank and Cake Marketing. To a lesser extent, he’s still Spamvertising through AD1/Flex Marketing, but not as much.

He’s not foolish enough to spam Clickbank or Cake Marketing links directly. Instead, he spam links that are just 301 redirectors to Clickbank or Cake URLs, or open the URLs in a frame, to provide enough distance to shield Clickbank and Cake from direct association and provide a level of plausible deniability.

A few things have changed since I first write about this particular spam system, but the overall shape remains the same. The spammer, Mike Boehm, sends out millions of spam emails containing links to throwaway domain names. These domains used to be redirectors located at Namecheap; nowadays, they’re protected by Cloudflare, a name well known to spam fighters.

These domains are simply redirectors–that is, when you click on one of the links, you just get sent somewhere else. With these new spam runs, you end up either at a traffic redirection site owned by Cake Marketing, or at a domain that opens a Clickbank link in a frame. The new spam affiliate system is a bit different from the old one, and looks like this:

More than 90% of the spam emails–and like I said, there are a lot of them–go through Cake Marketing or Clickbank.

I’ve sent repeated complaints to the Cake Marketing and Clickbank email addresses, and received no reply. The spam affiliate accounts remain active. I expected this from Cake Marketing; to my knowledge, they never acknowledge spam complaints. I’m disappointed in Clickbank. They have terminated this spammer multiple times in the past, but appear disinclined to do so now.

Thereis an interesting postscript to this story: Clickbank has apparently established a reputation in the time since my last blog post on this subject as a spam haven. When I attempted to post this entry on LiveJournal, the following error message popped up:

Sex tech: Wave your arms in the air like you just don’t care

Posted on by
Reply

The street finds its own uses for things.
—William Gibson, Burning Chrome

Imagine, if you will, a device you strap onto your lower arm. This device has a bunch of embedded myoelectric sensors that respond to hand movements, and accelerometers that track arm movements. Yoked to these is a Bluetooth transmitter that relays a stream of data about your hand position and arm motion to a computer or smartphone. Sound exciting?

Meet the Myo, a gadget in search of a purpose.

It’s a neat, if pricey, device still in search of a killer app. It comes with a PowerPoint plugin that lets you flip through slides by waving your arm in the air. There’s an interface for Skyrim, though it’s a bit laggy and you can’t play for long before your arm gets tired. There’s also a bit of software that lets you control a small drone with arm gestures, though with less precision than a conventional remote control. It’s very much a “build first, look for a function later” gadget, reminiscent of many tech innovations from the age of the dot-com bubble.

In most industries, the “build it and they will come” approach to project engineering is looked at with less and less favor these days. I am a long-time mad scientist with a particular flair for designing and building all manner of high-tech sex toys, though, so to me “build it and they will come” is what gets me out of bed in the morning.

As soon as I saw a demo of the Myo, my mind instantly went to sex. Controlling a device remotely by gesture and motion? What could possibly be more fitting in a sex toy? (In fairness, I did once, many years ago, build an Internet-controlled sex toy called the Symphony—a name that might perhaps be more appropriate for a device that you can operate by waving your arms. Dance, my puppets! Dance!)

So imagine my surprise when I Tweeted that this would make a cool controller for a sex toy and shortly thereafter one showed up on my doorstep, courtesy of AV Flox over at Slantist.

Electronically, the Myo is a Bluetooth LE radio, a set of myoelectric sensors, a suite of accelerometers, and a low-power processor core running proprietary firmware. Information from the myoelectric sensors is interpreted and translated into a set of posture information. This information is combined with data from the accelerometer and transmitted as a series of gestures and motions.

Conceptually, it looks a bit like this:

The Myo communicates with a laptop or smartphone. The laptop or smartphone interprets the messages from the Myo, then sends appropriate commands to an Arduino with a Bluetooth board connected, instructing it to to run (or stop) a vibrator attached to the motor driver.

The Arduino is a small single-board computer that was designed to do easy experimenting with programmable devices. Think of something like a Raspberry Pi, only far simpler and without an operating system. You can get many additional boards for the Arduino to do all sorts of things—Bluetooth, WiFi, networking, sensors, motor drivers, and other boards exist. The Arduino and its add-on boards are designed to be stacked on top of one another, to make project development easy.

The laptop or smartphone is necessary because of Bluetooth’s design. Bluetooth is a computer-to-peripheral technology. A Bluetooth network uses a master/slave topology, which means a Bluetooth peripheral can’t communicate directly with another Bluetooth peripheral—a “master” device like a laptop or smartphone is needed as an intermediary. When I first started working on a Myo-controlled sex toy, I did the development on a Macbook Pro laptop.

The Hardware

For the first-generation version of the gesture-controlled sex toy, I opted to use an Arduino Uno with a Red Bear Bluetooth shield and one of Kyle Machulis’ Pen15 vibrator controller boards, largely by virtue of the fact that I already happened to have all of them sitting on my workbench.

The Arduino is a small electronics board, roughly the size of an index card, that’s easy to program and capable of talking to all sorts of peripheral hardware. As a controller for a sex toy, it’s a bit large and clunky. Combined with a Bluetooth board and a motor control board, the whole ensemble is about as big as a pack of cigarettes; not exactly discreet. There are several much smaller development boards available, and a later version of this project will probably be about the size of a quarter.

The Arduino, Bluetooth board, and motor controller, all stacked atop one another, look like this:

The blue board on the bottom is the Arduino itself, and contains the processor, power supply, and USB interface for programming. The red board in the middle is the Bluetooth board. The green board on top is the Pen15, an interface board designed specifically to run a sex toy from an Arduino. All together, this stack of boards cost about $40 or so.

The Software

Assembling the stack of components to make a Myo-controlled sex toy was the easy part. Writing the software turned out to be a bit more aggravating.

There are two parts to the software: a program running on the laptop (or smartphone, but for convenience I wrote the first version on my laptop), and a program running on the Arduino. The laptop software needed to pair with the Myo and the Arduino’s Bluetooth card, accept incoming data from the Myo, figure out how to translate those data into sex toy functions, and then send appropriate commands to the Arduino. The software on the Arduino needed to accept those commands and run the vibrator accordingly.

The Myo does a lot of on-board processing to figure out what hand gestures are being done, then sends the gesture data to the computer. It can recognize certain gestures, like making a fist, spreading your fingers apart, and tapping your thumb and forefinger together. It also sends information from the accelerometers, to report motion data.

For the first version, I wanted to keep things simple. I decided to look only at hand gestures, rather than arm motion. Making a fist, I decided, would turn the vibrator off; spreading my fingers would turn it on. (I opted not to control the speed of the vibrator, even though this is fairly straightforward for the Arduino to do, just to keep things simple.) This let me ignore accelerometer data and look only at hand gestures.

The Arduino software was relatively straightforward. The Arduino Bluetooth card comes with a programming library, which, much to my dismay, failed to work right out of the box. That’s surprisingly common in the world of Arduino development, where hardware and software is often designed by small groups of dedicated enthusiasts and may or may not work as expected the first time. An hour’s worth of Googling and some trial and error let me get the Arduino Bluetooth library working, and after that, things were a lot easier. I chose a command that would mean “vibrator on” and another that would mean “vibrator off,” and wrote a simple program that would poll the Bluetooth card looking for those commands and send the appropriate signal to the Pen15 board. All in all, the Arduino side of the equation took an evening to get sorted.

The computer/Myo side was a bit more complicated. The Myo I received was one of the first to ship, and the Myo’s software development kit was a mess when it was first released. (It’s still something of a mess now.) I had considerable difficulty pairing with both the Myo and the Arduino—something that wasn’t helped by the fact that Mac development is usually done in a language called Objective-C, and my experience with Objective-C is limited. It’s mostly like C++, mostly, but there are just enough differences to trip up anyone accustomed to C++.

I finally gave up on accessing the Myo directly and opted for a shortcut. The Myo comes with software that maps Myo gestures onto the keyboard, so I decided to make things even easier by going that route. I mapped an open-hand gesture to the letter ‘a’ on the keyboard and a fist to the letter ‘z,’ and decided to write the software so that it would send a “vibrator on” signal when it saw the letter ‘a’ and send a “vibrator off” signal when it saw the letter ‘z.’ I figured once I had that working, I could get more fancy and sort out accessing the Myo directly later.

It took a good bit of time to get even that part working. The software development kit for the Arduino Bluetooth card is, if anything, in an even more sorry state than the Myo SDK. It took a lot of hair-pulling to get the sample code to work properly, and it tended to break whenever I tried to modify it.

In the end, I did finally get it to work, after a fashion. It was (and still is) quite crude: it recognizes only two Myo gestures, which it translates into “run the vibrator at full speed” and “turn the vibrator off.” The software still has a maddening habit of losing touch with the Arduino occasionally, for no reason I can discern, but it works.

The test

I decided to try out the vibrator with one of my girlfriends who was visiting from the UK, where she lives. We had just finished a whirlwind three-week camping tour of ghost towns through the Pacific Northwest, a journey I am still chronicling.

We spent her last night in Portland at a hotel near the airport, and I thought, hey, this would be an awesome time to take the new toy for a spin, and maybe even get some video of the device in action. She thought that idea sounded splendid.

Unfortunately, the software had other ideas. As often happens, somewhere between being tested on my workbench and being tried in the real world, it decided to quit working. I debugged frantically while she lay naked in bed waiting. Eventually, she fell asleep, and the opportunity was lost.

Later testing would have to wait for a more favorable time. Eventually I was able to get it working again, but the moment to use it with her had passed.

The future

The current prototype gesture-controlled sex toy is quite primitive. Put together, it looks like this:

The hardware is still clunky. I plan to rebuild it using a DF Robot Bluno, which combines the Arduino and Bluetooth on a tiny board roughly the size of a quarter.

This should make it possible to create a discreet, miniaturized sex toy that can be worn in public. I have one of these sitting on my workbench, but haven’t had a chance to play with it.

Eventually, when I’ve made more progress on the strapon the wearer can feel and I have time to return to this project, I plan to refine the software, adding accelerometer control and allowing the vibrator to be controlled more precisely—perhaps by adding patterns to the vibration. (I have visions of doing a PowerPoint presentation at a business function while one of my partners sits in the audience wearing this device, as it responds to the same gestures I’m using to control the PowerPoint slides.)

Finally, I want to compile the control software for my iPhone, so I don’t have to lug around a laptop wherever I might want to use it. I can keep the iPhone in my pocket, where it silently listens to the Myo and sends signals to the sex toy.

The possibilities of remotely operated, Bluetooth-controlled sex toys that respond to wireless sensors, controllers, and other devices has a great deal of potential, especially if you’re a mad engineer like me. There’s rich territory here, just begging to be explored by intrepid adventurers. The early Myo prototypes are, I think, merely the tip of the proverbial iceberg. I can hardly wait to see what else is possible!

Two Chaosbunnies in the desert: Faffing

Posted on by
Reply
Part 1 of this saga is here. Part 7 of this saga is here.
Part 2 of this saga is here. Part 8 of this saga is here.
Part 3 of this saga is here. Part 9 of this saga is here.
Part 4 of this saga is here. Part 10 of this saga is here.
Part 5 of this saga is here. Part 11 of this saga is here.
Part 6 of this saga is here. Part 12 of this saga is here.

Fresh from the spectacular triumph that was Susanville, the semi-mythical old mining town on the end of an ancient and long-derelict road that nobody save Apple knows about (and boy, would I love to know how Apple added it to their maps!), we spent the next couple of days in a kind of Ghost Town Limbo. We had entered that period in our adventure I have come to think of as The Faffing.

It is a fact known to anyone familiar with the Great Northwest that the ruins of nineteenth-century boom town lie in scattered disarray across the countryside like clothing at a drug-fueled Roman orgy. Once you get into the desert of the Great Northwest, it’s difficult to swing a cat without hitting the remains of some old logging or mining building from the 1800s.

That is, in fact, exactly the point of our journey. Other countries, possessed of a less exuberant excess of rolling countryside that nobody much wants, or perhaps gifted with a more pragmatic approach to resource allocation, don’t have long-abandoned towns that just kinda sit around for a century and a half because nobody can be arsed to do anything about them.

And even in places where people do want to do things with the land, there’s just so damn much of it that if there happens to be an old tumbled-down log cabin or a gold processing building building of some sort, nine times out of ten it’s easier to work around it than to move it. So it stays there, quietly being Somebody Else’s Problem.

It’s this sort of neglectful attitude toward the dwellings of times gone that drew Bunny to the tour, as her native land of the United Kingdom of Britainlandia is, being on an island, much more conscious of making use of every square meter or hectare or whatever the hell unit of measure they use all the way over there.

So during The Faffing, we saw, and photographed, a great many tumbled-down buildings standing silent testimony to times long gone, though we were rather less successful in finding any real ghost towns. What ghost towns there are are often poorly marked, and the ones that are well-marked, we discovered, seem to be conspicuous in their existential absence when one goes to the appointed spot.

The Faffing was not a time of no productivity, but it certainly didn’t compare to the discovery of what was left of Susanville. Still, we did discover some pretty neat stuff as we wandered about aimlessly in the Adventure Van.

Like this abandoned building and rickety, half-collapsed footbridge over a surprisingly deep and treacherous creek, spotted by Bunny’s eagle eye as we drove down some county road or other.

Or this house, which looks like it ought to feature quite prominently in an episode of Scooby Doo. It was on the outskirts of some quiet little town in Oregon whose name I’ve already forgotten, but man, if I were a kid living in this town, this place would likely haunt my nightmares.

There are tons of old farm buildings lying in ruins all about the Pacific Northwest, some of which look like they might collapse into dust if some poor unsuspecting sod the next county over sneezes too vigorously.

We struck gold with this find, the remnants of an old one-room school building a couple miles outside the semi-but-not-really ghost town of Shaniko, Oregon. Bunny, as per usual, spotted it and said “Hey, pull over!”

The schoolhouse looks a lot Little House on the Prairie and a lot more “Outtake from an episode of Dexter” these days, which adds, I think, to the ambiance. It’s a cool old building, for sure.

We took a random detour from looking for old ghost towns when we spotted a sign pointing to a lava flow in an ancient forest, because, you know, chaosbunnies. The detour took us a lot farther out of our way than the sign suggested, but after quite a lot of travel, we did indeed eventually come to the ancient lava flow.

Oregon’s terrain has been shaped by catastrophic geology, much of it volcanic. Enormous seas of lava once covered quite large expanses of it, wiping out everything around them and leaving behind terrain that, millennia later, still looks kind of like a lunar landscape.

Where these huge flows of lava encountered forests, the lava encased the trees in solid rock. The trees died and disappeared, leaving these formations as their only remains.

We took quite a few pictures, but as this was only incidental to our real purpose (if indeed chaosbunnies can be said to have a “purpose,” as opposed to a mere intention) we did not linger long, and were soon off.

We found some more ruins, this time just outside yet another town whose name I’ve already forgotten but that seemed to be a regional freight transportation hub, judging by the astonishing number of large trucks that formed an unending stream of traffic through the town.

It really is quite astonishing just how many of these ruins lie about, being ruins. We stopped frequently to take pictures of yet another ancient relic of centuries gone by, sometimes to the consternation of state police who wanted to make sure that we hadn’t abandoned the van and headed off through the countryside with cameras and bunny ears and tea because we were, you know, like, in trouble or anything.

Just what set of unfortunate circumstances might force someone to abandon a van armed only with these three aforementioned things is not entirely clear to your humble scribe. Still, it is gratifying to know that people were looking out for us.

We still had some interesting random discoveries, and a few moments of stark terror, closing inexorably in on us, which I shall detail in later episodes of this chronicle.

I have a small stuffed hedgehog that accompanies me almost everywhere I go. Her name is Lilith. Those of you who saw us on the European book tour likely recognize her. Lilith rode on the Adventure Van’s dashboard during The Faffing, and appeared quite unfazed by the whole experience.

ISIS, WordPress, and insecure Web hosts, oh my!

Posted on by
Reply

It is a fact universally acknowledged that running a WordPress site is a dangerous thing to do. WordPress is often attacked by hackers, because so many sites run it and so many people are not good about installing security updates. The hackers will use the commandeered sites for all sorts of nefarious purposes: installing malware, hosting phony bank pages that they then spamvertise in “Update Your Account Now” spam emails, hosting redirectors that lead people to spam or porn or phish pages.

I get a lot of spam emails, and when they lead to phony bank pages I will often check the top level of the site that the phony bank page is hosted on to see what’s going on. As often as not, the phony bank page is living on a WordPress site whose owner chose a bad password or was negligent about updating, and got pwn3d.

So it was that I found a fake PayPal page and, when I checked the home page of the hijacked site it lived on, I saw something odd: the home page had been deleted and replaced with a message reading “HACKED BY DARKSHADOW-TN AND ANONCODERS”.

I didn’t realize I was about to stumble on a massive (and still ongoing) security breach at two large Web hosting companies, Arvixe and Eleven2.

   

Curious, I did a Google search for that phrase (hacked by darkshadow-tn and anoncoders) and found thousands of Web sites that had been hacked and defaced with that message. And I do mean thousands–nearly three thousand in all.

I started working through the Google list, visiting each Web site to see if the defacement was still present. I discovered that there were three basic types of defacement, almost all of them done to WordPress sites.

Some sites had their content removed and replaced with a simple text message.

Some had the content left alone, but the page title changed to read “+ADw-/title+AD4-HACKED BY DARKSHADOW-TN AND ANONCODERS+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-“. This appears to be a misconfiguration of the automated tools the hackers used to deface the sites; it seems the hackers were trying to insert this in the page’s body.

Some had a defacement message injected into the body of the Web site, usually at the top.

So, who are Darkshadow and Anoncoders?

Anoncoders is a loosely-organized group of Islamic computer hackers who use automated tools to hack poorly secured Web sites and deface them with anti-Israeli and pro-Muslim messages. They even have a Facebook page and everything.

Darkshadow is a group of pro-ISIS Muslim extremists who, like Anoncoders, often hack sites to deface them with pro-ISIS, anti-Israel, and/or anti-Western messages. They used to have a Facebook page, but it’s gone as of the time of writing this.

So we’ve got a couple of pro-Muslim, anti-Western hacker groups who generally use automated tools to hack low-lying fruit, such as WordPress and Drupal sites that are running old versions or otherwise poorly secured. So far, so ordinary–dare I say, even boring. These kinds of attacks are a dime a dozen.

I started making a list of hacked sites, checking who the Web host was, then sending emails to the Web host abuse address letting them know they were hosting hacked sites.

That was when things got interesting.

As I went through the results of the Google search, cataloging thousands of hacked sites, I started noticing something weird: all the hacked sites were on only two hosting companies. Roughly half of them were hosted by Arvixe, and the other half were hosted by Eleven2, an outfit that’s a subsidiary of a company called IH Networks.

That raised the possibility that this wasn’t merely an automated, script-kiddie attack against a bunch of low-hanging fruit, but a breach of two hosting company’s Web control panel software or some other weak link in the hosting companies’ software infrastructure.

I sent off emails to both Web hosts letting them know they had been the subject of a massive breach.

Unsurprisingly, neither of them responded. I say “unsurprisingly” because I have a long history of discovering massive security breaches at large, popular Web hosting companies that go unrepaired for months or even years.

I sent notifications to both of those Web hosting companies about three weeks ago. Upon re-examining the hacked sites today, I discovered, disappointingly, that the security problems have not been fixed and the sites remain compromised.

So I went back and looked at past abuse reports I have filed with those companies. This is my first contact with Eleven2, but I noticed that hacked sites I had alerted Arvixe to as long ago as last September are still compromised.

It seems there is a lesson here: Both Arvixe and Eleven2 have severe ongoing security problems and are more or less completely indifferent to fixing the problem.

If you use either of these Web hosting companies, I would suggest it might be prudent to examine your site carefully for security breaches, and to move to a different Web host as promptly as possible. It’s never a good sign when a Web host ignores reports that their servers have been breached by ISIS-affiliated hackers.

Some random late-night musings on profanity

Posted on by
Reply

When I was a kid, I had a little plaque with a poem on it hanging up on my bedroom wall. I have no idea who wrote the poem or where it came from, but it was there on my wall for so long I memorized it.

Never say die, say “damn!”
It isn’t poetic,
it may be profane,
but we mortals have need of it,
time and again.
And you’ll find you recover from Fate’s hardest slam,
if you never say die, say “damn!”

I love profanity. I’ll admit it. Supposedly “profane” language is language that communicates quickly and effectively, with lovely immediacy. It’s shunned because it’s particularly well-suited to conveying unruly emotions–messy, untidy emotions that some folks would like to pretend don’t exist.

But they do, and “vulgar” language is singularly eloquent in expressing them.

There is tremendous nuance in vulgarity. If I call someone a hopeless fuckmuppet, that conveys a different meaning than if I say they’re a hopeless fuckwit or a hopeless fuckhead. Each of these communicates disdain, to be sure, and in a far more visceral way than saying “I rather do believe that chap is quite distressingly incompetent at going about this business of life,” but those few syllables after the vulgarity carry a great deal of subtlety and differentiation.

People who fear vulgar language fear life, for it is a fact not easily overlooked that some parts of life are vulgar.

Call to the Lazyweb: Backup

Posted on by
Reply

I have a problem I’ve been beating my head against for a while now, and I’ve finally given up and decided to put this out there to the hive-mind of the Internet.

I have a laptop I want to keep regularly backed up. I have external hard drives that I use to do this, one that I carry with me and one that stays in my office in Portland. I use cloning software to duplicate the contents of the laptop onto them.

But I also want to do incremental backups, Dropbox-style, to a server I own.

I do have a paid Dropbox account and I do use it. (I also have a paid Microsoft OneDrive account.) But I’d really prefer to keep my files on my own server. What I want is very simple: the file and directory structure on the laptop to be mirrored automatically on my server, like such:

This should not be difficult. There is software that should be able to do this.

What I have tried:

Owncloud. They no longer support Mac OS X. Apparently they ran into problems supporting Unicode filenames and never solved it, so their solution was to drop OS X support.

BitTorrent Sync. This program is laughably bad. It works fine, if you’re only syncing a handful of files. I want to protect about 216,000 files, totaling a bit over 23 GB in size. BT Sync is strictly amateur-hour; it chokes at about 100,000 files and sits there indexing forever. I’ve looked at the BT Sync forums; they’re filled with people who have the same complaint. It’s not ready for prime time.

Crashplan. Crashplan encrypts all files and stores them in a proprietary format; it does not replicate the file and folder structure of the client on the server. I’m using it now but I don’t like that.

rsync. It’s slow and has a lot of problems with hundreds of thousands of files. The server is also on a dynamic IP address, and rsync has no way to resolve the address of the server when it changes.

Time Machine Server. Like CrashPlan, it keeps data in a proprietary format; it doesn’t simply replicate the existing file/folder structure, which is all I want. Like rsync, it has no way to cope with changes to the server’s IP address.

So you tell me, O Internets. What am I missing? What exists out there that will do what I want?

So you Want to Have a Threesome…

Posted on by
Reply

Group sex. It’s arguably one of the most common sexual fantasies that exists, right up there with the one about your French teacher, a paddle, and a giant pot of honey. It’s also one of the most fraught: How do I find people who want to have a threesome? What happens if I’m with a partner who’s more into the third person than into me? What if I get jealous? What if my partner gets jealous? What if there’s Drama? What if I feel left out?

I’m a huge fan of group sex. I lost my virginity in an MFM threesome (something I talk about in my memoir The Game Changer), and in the time since I’ve had far too many threesomes (and quite a lot of foursomes, and a few fivesomes, and some elevensomes, and at least one fifteensome) to count.

Group sex is hella fun, though like any kind of sexual activity it’s not everyone’s cup of tea, and that’s okay. If group sex is something that interests you, it can be hard to know where to get started and how to stack the deck in favor of a good experience for everyone. That’s what this guide is for.

What is group sex like? Fun. I’ve consistently found it to be amazing. First, though, I’ll talk about what it’s not like.

What group sex isn’t

It’s not (usually) like what you see in porn flicks or Hollywood movies. The other folks involved are people; unless you’ve hired a pair of sex workers, they’re not there just to be part of a male wank fantasy.

I’m afraid I have some bad news for the straight dudes in the audience: When you’re having sex with two (or more) women, they’re not there just for you. It’s not all about you and your pleasure. A typical threesome wank fantasy is about two women who make out or have sex with each other just to get the dude hot, but secretly they both need the D.

That’s not likely to be how it happens. Maybe they’re both straight. Maybe they’re both bi and more into each other than him. Like I said, I’ve had a threesome with a bi woman and her lesbian girlfriend; we both paid attention to the bi woman, but her girlfriend and I had no contact at all. It was all about the bi woman, not all about me.

In fact, threesomes with two men are about as common as threesomes with two women–and no, you don’t need to be bisexual to have a threesome. Three men can have a threesome, as can three women. If you’re a straight guy, you also need not feel threatened by the presence of another penis in the room. As many women as men fantasize about threesomes, and often, women quite fancy the notion of two men paying attention to her as much as men like the idea of two women paying attention to him.

Which brings up another point: unless you’ve explicitly negotiated otherwise, you can’t assume it’s a free-for-all. You don’t get to do whatever you want with both of the other folks involved. Everyone is going to come to group sex with their own limits and boundaries. If you ever want to have a second threesome, pay attention to those boundaries! Yes, people are getting naked and sweaty. No, that doesn’t (necessarily) mean you get to have sex, or perform any particular act, with either or both of them. They have the right to say what you may or may not do with their bodies. (And so do you, by the way. You are never obligated to have sex with someone just because they’re involved in sex with someone else. I am straight, so when I have threesomes involving another guy, he and I don’t touch. That’s fine. Your body, your rules.)

Finally, a lot of folks naively assume “if I’m with someone and we both have sex with the same third person, we won’t feel jealous because we’re both there!” Wrong. Jealousy is about insecurity, and it’s possible to feel insecure even when you and your partner are having sex with the same lover. The best time to get a handle on that is before you invite someone else into your bed, not after.

What group sex is

Fun. Lots and lots of fun. Threesomes can happen in a wide range of configurations with a wide range of activities that go way beyond the stereotypical porn shoot or wank fantasy. They offer virtually unlimited ways for three people to come together and explore.

There’s something delicious about having two sets of hands and lips and tongues on your body that’s just amazing. It’s fun to be the one receiving that attention, but it’s also fun to be participating in giving someone else that kind of pleasure.

It’s cozy. Three people all wrapped up together is really nice. It’s incredibly intimate, both physically and emotionally. I remember a situation where I, one of my girlfriends, and my FWB all spent the night together. We had lots of sex and fell asleep all tangled up together, but you know what the most fun part was? The next morning when we woke up and showered together. The three of us barely fit in the shower stall, and all of us were still sleepy and a bit giddy from the night before, and it was incredibly warm and cozy and intimate.

The sex is amazing. There are a lot of sensations and activities that are not possible with two people that are possible with three.

If you’re a straight dude in an FMF threesome, for instance, it’s not necessarily a question of having ordinary PIV intercourse with two women, though of course that can be part of it (and it’s hella fun when it is). I’m a big fan of pegging (having a woman use a strapon on me), and in threesomes, there are all kinds of fun combinations available. I’ve been on top of one lover having PIV sex with her while another lover is behind me pegging me…that was fun! (We broke the bed.) I’ve been lying on my side spooning a lover and penetrating her while another lover is spooning me and pegging me. There are all kinds of varieties in any kind of threesome, and a little imagination goes a long way.

It’s a lot of fun when bondage is involved, too. The night before my girlfriend and my FWB and I ended up in the shower together, my girlfriend and I tied my FWB to the bed and we both took turns playing with her. On another occasion, I was tied to the bed on my back while one lover straddled me and rode me, and another lover sat on my face. The two of them made out with each other while they both took pleasure from me. As you can imagine, both experiences were really hot.

So how do you make it work? What are the rules for group sex?

In my experience, the most important rules for threesomes (or foursomes or orgies or any other group sex) are not that different from the most important rules for two-person sex. Sex is sex, after all, and it doesn’t turn into something qualitatively different for n>2. As with any sex:

  • The folks involved are people, not sex toys or objects for your pleasure. Their needs and desires matter just as much as yours.
  • Consent matters. This means do not do things without someone else’s consent. Do not, for example, assume you have sexual access to everyone else involved. (I have had threesomes with two women where one of the women involved self-identified as lesbian. I have had threesomes with two women where one of the women was the girlfriend of my partner. In neither case did I assume that just because there were two women there, that meant I got to have sex with both of them.)
  • Set and respect boundaries. Talk about what access you will and will not allow to you. You don’t have to have sex with all the other folks just because your orientations and/or wibbly bits line up!
  • Talk about and plan for sexual health. Use barriers, exchange sexual histories, or do whatever else you need to do to protect your health.
  • I have found that sex of all sorts usually goes better with friends than with strangers. It is common for people new to group sex to want to try it with strangers, because they fear that having sex with people they know will make things “awkward” or induce jealousy. In my experience, though, inviting a random person into your bed goes along with inviting random communication skill, random sets of expectations, random STI risk profile, and random risk of Drama into your bed. With friends, you’ve already established a baseline, I hope, of communication and trust. Those things make sex better.
  • Communication matters. If you’re feeling something you didn’t expect, communicate! If you want (or don’t want) something to happen, communicate!
  • Treat the other people with respect and compassion. They are people too, remember? Treating people well is the key to having everyone have a good experience. When you treat other people well, you might get to play again!
  • If you do have an unexpected response, try to deal with it with grace. It’s okay to feel unexpected things when you try something new. If you need to stop, stop, but do so calmly and without shame, blame, or drama.
  • Don’t spend all your time trying to script exactly what happens or how it goes, unless scripting sex is your particular kink. Sometimes people are tempted to try to avoid jealousy by using a script. That’s unlikely to work. Jealousy is caused by insecurity and it’s hard to navigate around insecurity with rules or scripts.

Special considerations for safer sex

Group sex poses special challenges for safer sex that you might not have to think about when you’re accustomed to the more one-on-one variety. In addition to being aware of transmitting potential pathogens to your partner or receiving them from your partner, you also have to be aware of transmitting them between participants.

Some of these guidelines are common sense. If you use barriers like condoms, for instance, don’t use the same barrier with two different partners. Change condoms when moving between partners.

The same goes for use of sex toys or fingers. Be aware of who you’ve touched and with what. Cover toys and change the coverings between partners, or use toys with only one partner. Don’t put your fingers in one person’s wibbly bits and then put them in another person’s bits, if those people aren’t fluid-bonded.

Oral sex requires particular care. We don’t necessarily think of it as a vector between two folks who aren’t directly intimate with each other, but it can be. Use dental dams or condoms if you’re offering oral sex to two partners, or use mouthwash between partners. Be aware of where your bits have been, where your fingers have been, and yes, where your tongue has been.

Finding partners

Having group sex doesn’t take magic superpowers or arcane pickup secrets you learn from the seedier corners of the Internet. It does, however, help to let go of conventional attitudes about sex. We are all, throughout our lives, inculcated with a lot of baggage around sex, and some of that baggage makes it really hard to have threesomes.

In my experience, there are three approaches to trying to find group sex.

A lot of folks start out with a conventional relationship, then search for someone who will basically be an expendable fantasy fulfillment object. That can feel nice and safe. The third person is barely even a person. In fact, a lot of folks set strict rules on what that third person can and can’t do, or even set rules that it has to be an anonymous stranger from Craigslist rather than a friend or acquaintance, in the belief that this will avoid jealousy or awkwardness.

There are several problems with this approach. First, in my experience, the couples who do it are often trying to outsmart jealousy by planning and scripting a scenario they think will keep it at bay. But jealousy doesn’t come from sex. Jealousy comes from insecurity. If you see your partner enjoying someone else, and you’re sexually insecure, you will likely feel threatened and jealous even if the other person is a stranger, even if you’re having sex with that person at the same time, and even if you’re following a script. Second, sex with a stranger can feel less threatening than sex with a friend, but the problem is a random stranger brings random STI profile, random integrity or lack thereof, random baggage, and random drama to the table. Third, it encourages thinking of that person as a thing, not as a person with needs and desires.

It’s easier to take this approach than to build good tools for self-confidence, security, communication, and respect. A lot of folks take this approach because they don’t want to (or don’t know how to) build those tools, and the results are mixed. It is possible to have a good threesome with this approach, but it’s surprisingly hard. I think every threesome horror story I’ve ever heard (and I’ve heard quite a lot of them) started with this approach.

The second approach is to join a swing club or lifestyle community. This approach is really intimidating to a lot of people. There are all kinds of stereotypes about swingers, it can be hard to admit to other people what you want, and a lot of folks will say things like “sure, I want to have group sex, but that doesn’t mean I’m like all those perverts!” (Seriously, I’ve heard people say just that.)

The advantages to this approach are that it’s safe–the lifestyle community tends to have zero tolerance for abusive or disrespectful behavior, there is a strong culture of not disrupting other people’s relationships, there are meet and greets where you can get to know folks in the community in a low-pressure social setting without sex, and you’ll meet people who are on the same page about what you want. The disadvantage is that it’s intimidating at first, and if you’re still carrying around a bunch of baggage like sexual insecurity, sex negativity, or poor communication skills, you’re going to have to address those. It also can tend, depending on where you are, to favor people who are conventionally attractive. But the lifestyle community offers a structural way to get what you want on your terms.

My approach is different. I’ve never “found” a partner for a threesome by going out and looking. All the threesomes I’ve ever had have involved people I already knew. I’ve always had a social circle who are open and sex-positive, so I’ve never had to go out searching; it’s always been more like “hey, I like you, I’d like to explore bring more physically intimate with you, whaddya say?”

I’ve tried to work on myself to build strong self-esteem and security, to confront my fears and insecurities, to develop the qualities of integrity and transparency, to be able to talk about sex without fear or shame, and to let go of the idea that if my lover digs sex involving another person that means I’m not good enough or whatever.

I’ve also worked hard to understand three principles that sound obvious but aren’t:

  • I can’t expect to have what I want if I don’t ask for what I want
  • If I feel something bad or unpleasant that doesn’t necessarily mean someone else is doing something wrong
  • Other people are real, which means their needs and desires are just as valid as mine.

Having done that, I deliberately built a social circle of open, sex-positive people. I got over feeling intimidated about going to kink or lifestyle social groups. I sought out people who have positive, healthy attitudes about sex. I worked on my own integrity.

And it really paid off. And because my social circle is made up of folks with good communication skills and positive attitudes about sex, it’s remarkably drama-free.

This approach takes the most work of the three, but it’s work you do on yourself. Being confident and secure, being open, having good communication skills, being willing to face down your fears and insecurities help you find partners, sure, but they also help you live a better, happier life.

Hey, now, hey, now, now…

Posted on by
Reply

Any goth worthy of their black stompy boots is familiar with the Sisters of Mercy song This Corrosion, and indeed has probably spent many a late night dancing to it, optionally while smoking clove cigarettes.

To help all of us better understand this song, which has touched the lives of so many goths, I offer: a flowchart for This Corrosion, the better to comprehend the inner workings of this important contribution to the goth arts.

Two Chaosbunnies in the desert: Susanville, or, Siri knows better than Google

Posted on by
1
Part 1 of this saga is here. Part 7 of this saga is here.
Part 2 of this saga is here. Part 8 of this saga is here.
Part 3 of this saga is here. Part 9 of this saga is here.
Part 4 of this saga is here. Part 10 of this saga is here.
Part 5 of this saga is here. Part 11 of this saga is here.
Part 6 of this saga is here. Part 12 of this saga is here.

The next stop on our whirlwind tour of ghost towns, cunningly planned through extensive and repetitive Googling of “ghost towns west coast,” was Susanville.

It would prove an elusive target. Susanville was established in 1864 when some bloke found a big lump of gold in a remote corner of Oregon, and a bunch of other blokes came flocking to the spot hoping to find more lumps of gold. Times being what they were, it wasn’t considered a proper town because it didn’t have its own post office, so in 1901 a bunch of miners, ahem, stole the post office from a neighboring mining town, making Susanville an improper town. Or so the story goes. It is not clear to your humble scribe how one steals a post office, nor whether the legitimacy conferred by a post office remains if the post office is stolen. Such matters are not for me to understand.

I used Siri to plot us a route to Susanville, and we were off. The trip started promisingly enough when we found a turnoff precisely where Apple Maps said it would be, with a much-faded sign suggesting we were on the right track.

Alas, things soon became complicated. I navigated the Adventure Van for quite a long while on a narrow single-lane dirt, steadily moving farther and farther from civilization, until Siri told me to take a left turn onto a road that most completely and utterly did not exist. There was not the slightest sign that a left turn had ever existed in that spot, nor that one is ever likely to exist any time between now and when the stars burn out.

Bunny and I scratched our heads. “Let’s keep going,” she said. “Maybe GPS isn’t sure where we are. We’ll look for a left turn.”

We kept going. A left turn failed to appear. After we had traveled a considerable number of miles, with Siri telling us “make a U-turn, make a U-turn” over and over until madness threatened, I got the idea to try Google Maps.

This is not, I would like to point out, ordinarily such an insane idea. Google often knows better than Siri the ways of human navigation. In this case, however, Google was worse than useless. Siri showed us the road we were on, if I may be forgiven the literary excess of use of the word “road;” Google showed nothing but an endless expanse of featureless green. Where Siri believed there to be an exuberance of roads, including the one we could not find. Google showed nary a trace of human existence at all.

We turned around. “Turn right,” Siri said. Again, the road onto which we were supposed to turn persisted in its obstinate failure to exist.

“Maybe there used to be a road here,” I said. Bunny looked doubtful.

I stopped the van. “Siri says there’s a road right here,” I said. “Let’s get out and walk. Maybe we’ll find it.” Bunny still looked doubtful.

We walked for a while. “Siri says the road is right here,” I said. “Let’s just stay on the road according to GPS and see what happens.” Bunny looked very doubtful.

Still, the one thing you can count on if you’re a chaosbunny is there will be chaos. We set out through the field, watching the phone closely to keep the little blue dot centered on the road Siri insisted was there and reality insisted just as passionately was not.

When we’d walked for ten or fifteen minutes, Bunny pointed ahead. “I think this might be a road after all,” she said. “Look!”

Sure enough, there was a slight depression that was just regular enough to make it seem that, if you squinted hard enough and perhaps dropped acid, might seem it was once a road.

With a new surge in confidence, we kept walking. After another twenty or thirty minutes or so, and an inconvenient but fortunately narrow stream we were forced to jump across, we found… a road. A real, genuine, unmistakeable, honest-to-God road, exactly where Siri told us it would be.

We trotted along the road and rounded a large outcropping of rock, and then, there in front of us…a decaying house, tucked in the shadow of tall trees, glorious in its ruin. We had begun to believe it no longer existed, so as you can imagine, gentle reader, that moment when we rounded that corner made our hearts sing with joy.

Ladies and gentlemen, I present to you: Susanville, Oregon.

We poked around the ruined buildings for a while, taking pictures like mad and giggling like…well, like we were mad.

The largest house we found maintains silent watch over what used to be an old gold stamping mill, there on the other side of the river. Little remains of the mill but a heap of lumber.

I’d love to know what life was like out here, back when people came to this place in search of wealth. The few remaining houses are quite large, and were probably surprisingly comfortable given the remote inhospitality of the place.

Some of the remaining structures look a bit creaky. I was reasonably sure they probably wouldn’t collapse on us without warning, entombing us in a pile of old lumber and avarice.

When tea-time came around, Bunny sat down on an ancient and massive tree stump and…well, looked very English.

Tea properly handled, we resumed our explorations. I have no idea what this is, but it’s quite lovely.

We forded the river to examine the ruins of the stamping mill more closely. At first, I thought it was a lumber mill, but Google says no, this is where gold ore was brought to be crushed and processed. Of course, Google also said there was no road out here, so what does Google know?

The view back to the largest house from the mill is quite beautiful. I don’t imagine life here was easy, but it certainly did offer scenic natural beauty in spades.

In fact, it’s so lovely I’m a little surprised nobody lives out here now.

Susanville was amazing, and it was with heavy hearts we bid farewell to it and started the long hike back to the Adventure Van.

As fantastic as Susanville was, still more wonders waited in our future, though we had to pass through stark terror to get there. That story will come in time.