Category Archives: Uncategorized

Some thoughts on noticing differences

Posted on by
40

“But what if he compares me to somebody else?”

That’s a question I hear, often, in conversations about polyamory. Oh, I get the usual questions–how do you decide who’s sleeping with whom, don’t you get jealous, how do you find poly folk, that sort of thing. But surprisingly often, someone will ask “What if he compares me to somebody else? What if he has two lovers, and he compares me to her?”

Now, honestly, I think that’s a good thing. I want my lovers to compare me to their other lovers, for reasons I’ll get to in a minute. But first, let’s unpack the question a bit.

The question assumes quite a bit of subtext. When someone asks me “What if he compares me to his other lover,” the subtext I see inside the question is the assumption that such a comparison would go badly. Presumably, a person who believes himself or herself to be absolutely the bee’s knees wouldn’t approach being compared with other folks with fear and trepidation.

So I think the question “What if he compares me to his other lover?” has an implicit “…because she must be better than I am, and so if he does that, he’ll realize what a pathetic loser nobody I am” attached to the end.

Which is, of course, nothing but good old-fashioned insecurity at work. Insecurity is a good news/bad news kind of thing; the good news is that insecurity is really not that hard to beat; with practice, I think that just about anyone can learn the habits of security. The bad news, naturally, is that the process of letting go of insecurity is scary and uncomfortable, and the discomfort can sometimes seem worse than the insecurity itself.

At least for a little while. Learning security doesn’t actually take all that long, and insecurity lasts indefinitely if untreated, so the scales tip pretty decisively if you take the long view…at least, I think they do. But you gotta take the long view.

All that aside, though, it definitely seems to me that a person won’t fear being compared to other people unless there’s some kind of voice somewhere in the background of that person’s head telling him that the comparison is apt to end badly, so I think the question itself is very revealing.

Most questions are, though, when you get right down to it, especially questions about relationships. I had a person ask me once…but no, that’s a whole ‘nother post itself.

There’s an irony, in that the fear of being compared to someone else can actually mask a great source of security. And that security comes from knowing that you, and everyone around you, is unique and therefore irreplaceable.

When my partners compare me to their partners, they’ll probably notice similarities (I tend to have a taste for women who like geeky gamer poly guys, so they’ll probably have other partners who are–wait for it!–geeky poly gamer guys), and they’ll notice differences. And the differences are what make us individuals, not interchangeable commodities.

I think the question “what if he compares me to others?” assumes, in addition to a presumption that the comparison will end badly, the notion that such a comparison would reveal which one is “best.” ‘Cause, you know, if Joe thinks that Cathy is best and Jane is second-best, then Joe would naturally prefer Cathy to Jane, right?

And who knows? Maybe there are some folks out there who would do something like that–evaluate their partners to find out which one is “best,” then stay with that person ’til someone better came along. Now, personally, I think folks like that can be spotted pretty easily. I also think if I am with a person like that, I’d want to know about it as soon as possible, so that I could dump their sorry ass and find a partner who, y’know, actually wanted to be with me ’cause they value me.

But I also have seen people stay with partners who don’t appear to like them very much because they believe that if they leave, they’ll never find another partner again as long as they live, and will be doomed to a solitary life forever and ever, amen–so they gotta take, and try to keep, what they can get.

Which brings us, of course, right back around to insecurity again.

Now, my partners are about as different from one another as you could possibly imagine. They all have some things in common, of course–they’re all women, for one. They’re all unusually intelligent, for another. And they’re all polyamorous; my days of dating monogamous partners are over.

But other than that, they’re very different from one another–physically, psychologically, philosophically, practically. And when I spend time with my partners, yes, I notice the differences.

It would be impossible not to. Shelly’s taller than I am; figment_j is shorter. It’d be well-nigh impossible not to notice that I have to stand on tiptoes to kiss Shelly and look down to kiss figment_j. When I sleep next to one of my sweeties, my arm wraps around dayo differently than it does around joreth. (Actually, figment_j even commented on that the last time I saw her; physically, when we’re lying next to each other, we fit together much differently than she and her other sweetie do.)

And in terms of personality, my partners are even more varied than they are physically. Some of my sweeties are extroverted; others are introverted. Gina loves sushi; joreth doesn’t eat seafood. Shelly is a math geek; dayo loves sports cars. Gina has the same deadpan sense of humor I have; joreth is prone to cynicism; figment_j is an optimist in cynic’s clothing, even on her worst days. And yes, I notice these differences. Be a bit bleedin’ impossible not to. Hell, I cherish these differences, because every one of them is what makes each of the people who has blessed me by being part of my life unique.

And isn’t that the point?

When you compare your lovers, when you notice the similarities and differences between your lovers–this is a necessary and inevitable consequence of seeing your lovers. Not as faceless, interchangeable units, but as human beings. You can not know a person, not in any meaningful way, without noticing those things that make that person unique.

It’s not about comparing them on a stepladder to figure out which one is “best”–lessee, Gina gets four points for loving dogs, ’cause dogs are cool; joreth gets six bonus points because she hates the novel Stranger in a Strange Land, and I don’t like it either1–and the one with the most points wins. ‘Cause, y’know, the one with the most points is the best one.

Instead, it’s about seeing each of my partners for exactly who she is. When you do that, you see that each person is someone who adds value to your life–value that any other person can’t.

And that, my friends, is awesome.

1 figment_j believes I don’t appreciate Heinlein the way I should. I’m willing to give him another go–I last read a Heinlein novel more than ten years ago, and I still have one of his books she recommended which I haven’t read on my “to be read” list–so we’ll see.

You know it’s bad when…

Posted on by
26

…you’re too sick even to be horny.

For the past week and two days, I have had The Head Cold From Hell. Seriously. Not only has my nose been turned by the action of microbes so primitive they can scarcely be called “alive” into a gigantic factory for the production of mucous and human misery, but to add a cherry on the top of the misery and mucous sundae, my throat feels like it’s been sandpapered. With 40-grit sandpaper. Attached to a drill.

Or perhaps like I’ve been swallowing hedgehogs whole. That’re hopped up on amphetamines.

I seem to have inherited this particular lovely little virus from dayo when I was in Chicago. It’s got a week-long incubation period, so I had plenty of time to come home and spread it around the office before I got sick.

On the good side, though, I’ve been coughing so bad I can’t sleep, so I’ve been using the time to try to read. I somehow got the idea that I might be able to read myself to sleep at night, but the book I’ve been reading is William Gibson’s All Tomorrow’s Parties, so I don’t know what I was thinking. Reading Gibson to go to sleep is about like trying to put yourself to sleep by downing a shot of moonshine, followed by a chaser of crystal meth and PCP.

All I can say is thank god for Advil and Benadryl. They’re the only things making it possible for me to be upright and reasonably mobile. Don’t know what I’d do without it, really. I was chatting with Gina at oh-fuck-thirty in the morning a couple nights ago and said “What did people in pre-industrial societies do when they got sick?” and she said “they died.” Which is pretty damn close to the truth, actually.

And that reminds me that I have a whole ‘nother LJ post to make about that, which I somehow haven’t got ’round to yet.

More computer crime anatomy

Posted on by
144

So a while ago, I posted extensively about an underground network of computer virus distributors that I’d uncovered while pursuing American ISP iPower Web about their ongoing, chronic security problems which I first wrote about last December.

It seems that in the brave new world of the Intertubes, crime does pay. It pays very well indeed, in fact. The network I documented earlier has morphed and changed radically in the past few weeks, and become larger and more resilient. In addition, a new attack vector has emerged: attacks on old, outdated versions of WordPress weblog software.

I know that a lot of folks on my flist maintain their own WordPress blogs. Please, please, please, if you run WordPress or know somebody who does, update your WordPress software. It’s quick (takes about five minutes) and easy, and all versions of WordPress prior to 2.5 should be considered completely insecure.

In the past couple of weeks, I’ve noticed a huge surge in WordPress hack attacks, to the point where last Monday there were more hacked WordPress systems than hacked iPower Web sites that were being used to redirect folks to Eastern European virus downloaders. It seems quite likely that the hackers are using automated tools to find and automatically attack old WordPress installs, though one person I’ve spoken with says he believes his WordPress install was attacked through an insecure FTP username and password that was brute-force guessed as well.

The network that is being used to distribute viruses is being fed from a lot of different sources: hacked iPower sites (of course), hacked WordPress installations, Google Groups set up as malicious redirectors, custom attack domains piggybacked on top of legitimate Web URLs, and hijacked phpBB and phpNuke installs seem to be the most common. For an update on what’s going on in the seamy computer underground, and a new map of the computer distribution network:

Clicky the link! (We are going to get technical here)

Call to the Lazyweb

Posted on by
80

Since I have a diverse flist and I know a lot of you have all kinds of interesting skills and knowledge, and since I’m swamped with work at the moment and don’t have time to do the research…

Anyone see any inherent problems with using sex toys made of pure silver? As in, safety or health issues surrounding silver dildos or other insertables?

Security is hard…

Posted on by
20

So I’m a regular reader, and contributor, to the MacFixit forums, technical computer troubleshooting forums for Mac users that are part of the larger MacFixIt Web site.

MacFixIt is a very large, highly active Macintosh troubleshooting site. It offers articles, advice, commentary, and tips for all things Macintosh. Among other things, it announces new Apple security updates, and recommends that users keep on top of security patches. Good advice, right?

Err…

The forums at MacFixIt run on Web forum software called UBB.threads. To be specific, they run on UBB.threads version 6.0.2, released in 2002.

Now, let’s think about that for a second.

A large, busy Web site–a Web site dedicated to, among other things, information about computer security updates–is running forum software it has not updated since 2002. I bet some folks will already be able to tell where this story is going.

Yesterday, I logged on to the forums to discover that the forum topics and message board lists had been replaced with long lists of racial epithets. A quick Google search turned up a security advisory dating back to 2005, or three years ago, reporting that versions of UBB.threads prior to 6.5.2 had a really, really big number of really, really serious security problems, including cross-site scripting vulnerabilities, SQL injection vulnerabilities1, and parameter inclusion vulnerabilities.

Turns out versions prior to 6.5.3 also have a posting vulnerability that can yield up complete control of the Web server to a malicious user.

Now, these are just the vulnerabilities that have been known and documented, and reported by UBB.threads itself, in the last three years. Even more recent versions still have some pretty significant vulnerabilities.

The current version, just for the record, is 7.2.

So I fired off an email to the administrator of the MacFixit forums, and for the last day and a half the forums have been “down for maintenance.”

D’oh.

Egg, meet face. How in the name of God, in this day and age, does anyone who runs any kind of sophisticated server software on the Internet not keep on top of security updates? For six years?

1 And in this day and age, anyone who does not sanitize user input to guard against SQL injection needs to be shot.

Including you, Microsoft.

Rape fantasy and resistance play

Posted on by
80

Note: This is part 7 of an occasional ongoing "how to" series on BDSM.

Part 1 of the series, How to Tie a Rope Harness Part I, is here.
Part 2 of the series, How to Tie a Frog Tie, is here.
Part 3 of the series, How to Tie a Shinju, is here.
Part 4 of the series, How to Make a Custom Dildo out of Ice, is here.

Part 5 of the series, How to Make a Spikey Decorative Collar, is here.
Part 6 of the series, Theory and Practice of Ginger Figging, is here.

As you can probably figure out, most of these tutorials are really, really not work-safe.

This particular tutorial is not in any way work-safe, photographically or in text. It covers a topic that is both very common and yet at the same time triggering for a lot of people: rape fantasy. It covers communication, negotiation, and some starter scenarios, if this is the sort of thing you might like to try. If it sounds like it’s up your alley, clicky the link!

Onward!

Some thoughts on computer security and credulity

Posted on by
34

So recently Business Week magazine ran an article about keylogger software being used in espionage. Essentially, defense contractors are being tricked into infecting their computers with keylogger malware, sent in targeted emails that appear to come from the Pentagon and other governmental sources.

The thing I find interesting about this, and also about things like the Storm and Kraken worms, is that they don’t take advantage of security flaws or vulnerabilities. They don’t attack holes in a computer’s operating system or applications, and they don’t rely on technical exploits of programming errors. These attacks all rely on tricking the victim into deliberately, intentionally infecting himself.

For that reason, I don’t think there’s a technological solution. The solution to a human gullibility problem isn’t in better programming or more elaborate firewalls; it’s in user education. No matter how sophisticated and bulletproof a security system is, there’s no defense against a person who deliberately chooses to permit someone through it.

But when it comes to the Intertubes, folks don’t get that.

If we had a situation where a criminal walked into a bank and, without weapons or violence, tricked a security guard into opening the vault for him and handing him all the money inside, we would not say “Oh, we need to build bigger vaults with thicker doors and more complicated locks!” It’s obvious to anyone who thinks about something like that that a bigger door or thicker walls won’t prevent someone from tricking a gullible guard into unlocking the door.

Yet with computer malware, we tend to jump on technological solutions. Someone in China tricks an American defense contractor into deliberately installing a key logger on his computer, and everyone says “We need tighter computer security and more computer defenses.” Which is as pointless and ineffectual as saying “we need thicker bank vault walls” if someone persuades the guard to intentionally, deliberately unlock the vault door and hand him the money.

What we need isn’t better computer security; better computer security will not and can not address this kind of problem. What we need is less gullible people.

A few weeks back, someone posted an ad on Craigslist saying that they were moving suddenly and they needed to get rid of everything in their house, including their horse. They said that the house would be unlocked and anyone who wanted to could come and take anything they liked. Hundreds of people showed up and ransacked the house, even taking light fixtures and plumbing fixtures.

Needless to say, the Craigslist ad was bogus. Some people had robbed the house earlier, then posted the ad to conceal the evidence of their robbery.

Of course, the police showed up, but what was most interesting was how indignant the folks who ransacked the house were. They were angry and upset that the police tried to stop them. Many of them waved printouts of the Craigslist ad around, as if it justified what they were doing. They genuinely, sincerely believed that the ad on Craigslist meant they were doing nothing wrong.

That’s the mentality a lot of folks–including folks who ought to know better, including defense contractors–have. They truly believe that if an email says it is from someone they know and they should download and run the attached program, it must be OK to do. They sincerely think that if they see it in an email, it can not possibly be false. And that gulllibility makes them easy to dupe.

These are not idiots. If a person walked up to them on a street and said “I live at 423 Main Street but I have to move in a hurry, so go into that house and take anything you like,” they’d be like “Yeah, right.” If someone walked into their office and said “I’m from the pentagon, take this CD and run the program that’s on it,” they’d never in a million years do it.

But because it’s on the Intertubes, somehow it gets past their bullshit filters, and they suspend their ordinary skepticism. And I think that’s really, really interesting.

One of my all-time favorite books is Why People Believe Weird Things: Pseudoscience, Superstition, and Other Confusions of Our Time, by Michael Shermer, who’s one of my personal heroes. I met him briefly at a science fiction convention last October, and he’s just as amazing in person as he is in print.

One of the things he talks about, and one of the things I’ve written about as well, is the idea of the brain as a “belief engine,” a tool for forming beliefs about the physical world. As a tool for survival, the brain works amazingly well, but survival pressures have tended to shape and mold it in such a way that its default state is to accept ideas uncritically rather than reject them. For our early hunter-gatherer ancestors, the consequences of accepting a false belief (“keeping this magic stone in my pocket will help me ward off evil spirits”) were generally less dire than the consequences of rejecting true beliefs (“a leopard is dangerous to me,” “keeping upwind of my prey will cause my prey to escape more often”), and so we have developed these amazing brains that find it much easier to accept than to reject ideas.

On top of that, our brains are so highly optimized for efficient and rapid pattern recognition that they can tend to see patterns even where none exist (“when I updated to OS X 10.4.11, my hard drive failed; the update was responsible for the failure”).

I wrote an essay about the belief engine a while back. I think that it applies to things like Internet hoaxes and Trojan-horse malware in part because we are wired by selective adaptation to accept ideas uncritically, but we are also taught from a young age when that kind of uncritical acceptance is dangerous.

Everyone (well, almost everyone) learns from an early age not to trust strangers. So if a stranger stopped us on the street and said “I live in the house at the end of the block but I have to leave, so walk on in and take whatever you like,” there’s no way we’d believe him. But we aren’t taught to distrust the Internet.

To make matters worse, I think the Internet confuses people by messing with the signs we have been taught to accept to mark trustworthy people and institutions. We are taught to separate folks within our sphere of trust from folks outside of it, but we are not taught that this trust doesn’t extend to the Internet.

So, for example, most of us trust our mothers. If we receive an email and it’s got Mom’s “from” address on it and claims to be a greeting card, we’ll likely download it and run it without a second thought, because we trust Mom. What we haven’t been taught is not to trust the From: address on any email. People don’t realize how easily that is faked; the email is trusted because it bears the mark of being from a person inside our sphere of trust, but that mark itself is untrustworthy.

Same deal for a defense contractor who receives an email that claims to be from his Pentagon contact. Because the email carries a mark of a person inside the sphere of trust, the email is accepted.

Phishing scams rely on that, too. We mostly trust our banks, and we are familiar with what our bank Web site looks like. So we associate things like the bank’s logo and the bank’s Web site layout, which are familiar and comforting, with that feeling of trust. We so strongly associate things like the bank’s logo witht he bank itself that just the appearance of the bank’s logo can make whatever it’s attached to seem trustworthy.

In contemporary society, this is intentional; businesses do a lot of work and spend a lot of money to associate things like logos with the business, and to attach the logo to our emotional response. But what that means is the logo and the familiarity of the Web site layout make us trust the fraudulent phishing site. These things are more important than, say, the padlock that shows a secure connection, or the URL of the site, because we have not been taught about those things but we have been taught to associate the logo with our feelings of trust in the bank, so that makes us fall for the scam Web sites, and we voluntarily turn over information that otherwise we would be unlikely to give to anyone.

So again what happens is that we see the Internet as a technological construction, and we seek technological solutions to security problems, when perhaps it might be more effective to see the Internet as a social construct, and teach people “never trust an email from anyone” or “never trust a Web site that does not show a padlock on it” the same way we teach people “don’t talk to strangers” and “don’t give your bank account number to people you don’t know.”

I’m not saying there’s no need for technological security, mind you. There are still folks who exploit technical flaws in computers, or who attack computers using technical attacks like DNS cache poisoning or DNS rebinding attacks. Securing computer networks is still a necessary thing to do, and on that score the Internet as it now exists gets pretty dismal marks.

But what gives the Internet its power is the way people use it, not the hardware that makes it up. It is a social construct; it’s essentially nothing more than a communication medium. And any time you have communication, you have the potential for cons and fraud. I really do think that we have not yet, as a society, learned to extend the same degree of distrust to the Internet as we have to things in “real life,” and as a result the natural tendency for us to believe rather than disbelieve is easily exploited on the Internet.