Email Spam Re-revisited: How “mainstream” email marketers promote spam

Posted on by
Reply

Email spam–defined here as “unwanted, unsolicited commercial email”–is big business, with spam emails producing millions of dollars in revenue for the larger spam kingpins. There’s a huge cost to this spam, though. Google has released a PDF on the economics of spam, that talks about how much cost spam emails externalize onto others. Spam filtering, for example, costs about $6 billion a year, and without it, email would be largely unusuable.

Spammers often try to justify their spamming by claiming that email advertising is necessary to keep Web content free. It’s true that advertising is a necessary component of the Web–I wouldn’t be able to pay for all my Web sites without it. But as the Google report says, spamming is not the same as this kind of advertising:

How does spam differ from legitimate advertising? If I enjoy watching network television, using a social networking site or checking stock quotes online, I know I will be subjected to advertisements, many of which may be irrelevant or even annoying to me. Google, Yahoo!, Microsoft, Facebook, and others provide valuable consumer services, such as social networking, news and email, supported entirely by advertising revenue. While people may resent advertising, most consumers accept that advertising is a price they pay for access to valuable content and services. By contrast, unsolicited commercial email imposes a negative externality on consumers without any market-mediated benefit, and without the opportunity to opt out.

The vast majority of spam operations are run by a handful of spammers, the so-called “ROKSO spammers,” extremely prolific email spammers (some of whom are affiliated with organized crime, like Leo “Badcow” Kuvayev, a person involved in spam, malware, fake pharmaceuticals, and child porn and now in prison) who are part of the Register of Known Spam Operations.

There are also a lot of affiliate marketing companies–companies who pay affiliates to promote products. Some of these companies also run email marketing. All of them claim to be opposed to spam. But many are perfectly willing to allow spam, even spam by big-time ROKSO spammers, because of simple economics: it makes money.

I’ve blogged about one of these ROKSO spammers and his connection with “mainstream” affiliate and email marketing companies before. I monitor spam from this person, largely because I get a vast quantity of it to various email addresses. And when I say vast, I mean it–as in 839 examples of spam email in the last 20 days alone.

This particular spammer has a pretty simple modus operandi. He signs up for affiliate codes with “mainstream” email marketers and affiliate sales companies and spams, spams, spams. He tends to go for certain kinds of affiliate accounts: fake diabetes “cures,” quack “heart attack prevention” nostrums, right-wing conspiracy books, weight-loss fad diets, woodworking plans, and “get paid to do surveys” scams are his forté.

He’s worked with a wide range of affiliate companies before: Clickbank, Flex Marketing, and Clickbooth most often.

His spam activities slowed for a while, but recently have redoubled. And this new salvo of spam activities features two affiliate companies in particular: Clickbank and Cake Marketing. To a lesser extent, he’s still Spamvertising through AD1/Flex Marketing, but not as much.

He’s not foolish enough to spam Clickbank or Cake Marketing links directly. Instead, he spam links that are just 301 redirectors to Clickbank or Cake URLs, or open the URLs in a frame, to provide enough distance to shield Clickbank and Cake from direct association and provide a level of plausible deniability.

A few things have changed since I first write about this particular spam system, but the overall shape remains the same. The spammer, Mike Boehm, sends out millions of spam emails containing links to throwaway domain names. These domains used to be redirectors located at Namecheap; nowadays, they’re protected by Cloudflare, a name well known to spam fighters.

These domains are simply redirectors–that is, when you click on one of the links, you just get sent somewhere else. With these new spam runs, you end up either at a traffic redirection site owned by Cake Marketing, or at a domain that opens a Clickbank link in a frame. The new spam affiliate system is a bit different from the old one, and looks like this:

More than 90% of the spam emails–and like I said, there are a lot of them–go through Cake Marketing or Clickbank.

I’ve sent repeated complaints to the Cake Marketing and Clickbank email addresses, and received no reply. The spam affiliate accounts remain active. I expected this from Cake Marketing; to my knowledge, they never acknowledge spam complaints. I’m disappointed in Clickbank. They have terminated this spammer multiple times in the past, but appear disinclined to do so now.

Thereis an interesting postscript to this story: Clickbank has apparently established a reputation in the time since my last blog post on this subject as a spam haven. When I attempted to post this entry on LiveJournal, the following error message popped up:

Sex tech: Wave your arms in the air like you just don’t care

Posted on by
Reply

The street finds its own uses for things.
—William Gibson, Burning Chrome

Imagine, if you will, a device you strap onto your lower arm. This device has a bunch of embedded myoelectric sensors that respond to hand movements, and accelerometers that track arm movements. Yoked to these is a Bluetooth transmitter that relays a stream of data about your hand position and arm motion to a computer or smartphone. Sound exciting?

Meet the Myo, a gadget in search of a purpose.

It’s a neat, if pricey, device still in search of a killer app. It comes with a PowerPoint plugin that lets you flip through slides by waving your arm in the air. There’s an interface for Skyrim, though it’s a bit laggy and you can’t play for long before your arm gets tired. There’s also a bit of software that lets you control a small drone with arm gestures, though with less precision than a conventional remote control. It’s very much a “build first, look for a function later” gadget, reminiscent of many tech innovations from the age of the dot-com bubble.

In most industries, the “build it and they will come” approach to project engineering is looked at with less and less favor these days. I am a long-time mad scientist with a particular flair for designing and building all manner of high-tech sex toys, though, so to me “build it and they will come” is what gets me out of bed in the morning.

As soon as I saw a demo of the Myo, my mind instantly went to sex. Controlling a device remotely by gesture and motion? What could possibly be more fitting in a sex toy? (In fairness, I did once, many years ago, build an Internet-controlled sex toy called the Symphony—a name that might perhaps be more appropriate for a device that you can operate by waving your arms. Dance, my puppets! Dance!)

So imagine my surprise when I Tweeted that this would make a cool controller for a sex toy and shortly thereafter one showed up on my doorstep, courtesy of AV Flox over at Slantist.

Electronically, the Myo is a Bluetooth LE radio, a set of myoelectric sensors, a suite of accelerometers, and a low-power processor core running proprietary firmware. Information from the myoelectric sensors is interpreted and translated into a set of posture information. This information is combined with data from the accelerometer and transmitted as a series of gestures and motions.

Conceptually, it looks a bit like this:

The Myo communicates with a laptop or smartphone. The laptop or smartphone interprets the messages from the Myo, then sends appropriate commands to an Arduino with a Bluetooth board connected, instructing it to to run (or stop) a vibrator attached to the motor driver.

The Arduino is a small single-board computer that was designed to do easy experimenting with programmable devices. Think of something like a Raspberry Pi, only far simpler and without an operating system. You can get many additional boards for the Arduino to do all sorts of things—Bluetooth, WiFi, networking, sensors, motor drivers, and other boards exist. The Arduino and its add-on boards are designed to be stacked on top of one another, to make project development easy.

The laptop or smartphone is necessary because of Bluetooth’s design. Bluetooth is a computer-to-peripheral technology. A Bluetooth network uses a master/slave topology, which means a Bluetooth peripheral can’t communicate directly with another Bluetooth peripheral—a “master” device like a laptop or smartphone is needed as an intermediary. When I first started working on a Myo-controlled sex toy, I did the development on a Macbook Pro laptop.

The Hardware

For the first-generation version of the gesture-controlled sex toy, I opted to use an Arduino Uno with a Red Bear Bluetooth shield and one of Kyle Machulis’ Pen15 vibrator controller boards, largely by virtue of the fact that I already happened to have all of them sitting on my workbench.

The Arduino is a small electronics board, roughly the size of an index card, that’s easy to program and capable of talking to all sorts of peripheral hardware. As a controller for a sex toy, it’s a bit large and clunky. Combined with a Bluetooth board and a motor control board, the whole ensemble is about as big as a pack of cigarettes; not exactly discreet. There are several much smaller development boards available, and a later version of this project will probably be about the size of a quarter.

The Arduino, Bluetooth board, and motor controller, all stacked atop one another, look like this:

The blue board on the bottom is the Arduino itself, and contains the processor, power supply, and USB interface for programming. The red board in the middle is the Bluetooth board. The green board on top is the Pen15, an interface board designed specifically to run a sex toy from an Arduino. All together, this stack of boards cost about $40 or so.

The Software

Assembling the stack of components to make a Myo-controlled sex toy was the easy part. Writing the software turned out to be a bit more aggravating.

There are two parts to the software: a program running on the laptop (or smartphone, but for convenience I wrote the first version on my laptop), and a program running on the Arduino. The laptop software needed to pair with the Myo and the Arduino’s Bluetooth card, accept incoming data from the Myo, figure out how to translate those data into sex toy functions, and then send appropriate commands to the Arduino. The software on the Arduino needed to accept those commands and run the vibrator accordingly.

The Myo does a lot of on-board processing to figure out what hand gestures are being done, then sends the gesture data to the computer. It can recognize certain gestures, like making a fist, spreading your fingers apart, and tapping your thumb and forefinger together. It also sends information from the accelerometers, to report motion data.

For the first version, I wanted to keep things simple. I decided to look only at hand gestures, rather than arm motion. Making a fist, I decided, would turn the vibrator off; spreading my fingers would turn it on. (I opted not to control the speed of the vibrator, even though this is fairly straightforward for the Arduino to do, just to keep things simple.) This let me ignore accelerometer data and look only at hand gestures.

The Arduino software was relatively straightforward. The Arduino Bluetooth card comes with a programming library, which, much to my dismay, failed to work right out of the box. That’s surprisingly common in the world of Arduino development, where hardware and software is often designed by small groups of dedicated enthusiasts and may or may not work as expected the first time. An hour’s worth of Googling and some trial and error let me get the Arduino Bluetooth library working, and after that, things were a lot easier. I chose a command that would mean “vibrator on” and another that would mean “vibrator off,” and wrote a simple program that would poll the Bluetooth card looking for those commands and send the appropriate signal to the Pen15 board. All in all, the Arduino side of the equation took an evening to get sorted.

The computer/Myo side was a bit more complicated. The Myo I received was one of the first to ship, and the Myo’s software development kit was a mess when it was first released. (It’s still something of a mess now.) I had considerable difficulty pairing with both the Myo and the Arduino—something that wasn’t helped by the fact that Mac development is usually done in a language called Objective-C, and my experience with Objective-C is limited. It’s mostly like C++, mostly, but there are just enough differences to trip up anyone accustomed to C++.

I finally gave up on accessing the Myo directly and opted for a shortcut. The Myo comes with software that maps Myo gestures onto the keyboard, so I decided to make things even easier by going that route. I mapped an open-hand gesture to the letter ‘a’ on the keyboard and a fist to the letter ‘z,’ and decided to write the software so that it would send a “vibrator on” signal when it saw the letter ‘a’ and send a “vibrator off” signal when it saw the letter ‘z.’ I figured once I had that working, I could get more fancy and sort out accessing the Myo directly later.

It took a good bit of time to get even that part working. The software development kit for the Arduino Bluetooth card is, if anything, in an even more sorry state than the Myo SDK. It took a lot of hair-pulling to get the sample code to work properly, and it tended to break whenever I tried to modify it.

In the end, I did finally get it to work, after a fashion. It was (and still is) quite crude: it recognizes only two Myo gestures, which it translates into “run the vibrator at full speed” and “turn the vibrator off.” The software still has a maddening habit of losing touch with the Arduino occasionally, for no reason I can discern, but it works.

The test

I decided to try out the vibrator with one of my girlfriends who was visiting from the UK, where she lives. We had just finished a whirlwind three-week camping tour of ghost towns through the Pacific Northwest, a journey I am still chronicling.

We spent her last night in Portland at a hotel near the airport, and I thought, hey, this would be an awesome time to take the new toy for a spin, and maybe even get some video of the device in action. She thought that idea sounded splendid.

Unfortunately, the software had other ideas. As often happens, somewhere between being tested on my workbench and being tried in the real world, it decided to quit working. I debugged frantically while she lay naked in bed waiting. Eventually, she fell asleep, and the opportunity was lost.

Later testing would have to wait for a more favorable time. Eventually I was able to get it working again, but the moment to use it with her had passed.

The future

The current prototype gesture-controlled sex toy is quite primitive. Put together, it looks like this:

The hardware is still clunky. I plan to rebuild it using a DF Robot Bluno, which combines the Arduino and Bluetooth on a tiny board roughly the size of a quarter.

This should make it possible to create a discreet, miniaturized sex toy that can be worn in public. I have one of these sitting on my workbench, but haven’t had a chance to play with it.

Eventually, when I’ve made more progress on the strapon the wearer can feel and I have time to return to this project, I plan to refine the software, adding accelerometer control and allowing the vibrator to be controlled more precisely—perhaps by adding patterns to the vibration. (I have visions of doing a PowerPoint presentation at a business function while one of my partners sits in the audience wearing this device, as it responds to the same gestures I’m using to control the PowerPoint slides.)

Finally, I want to compile the control software for my iPhone, so I don’t have to lug around a laptop wherever I might want to use it. I can keep the iPhone in my pocket, where it silently listens to the Myo and sends signals to the sex toy.

The possibilities of remotely operated, Bluetooth-controlled sex toys that respond to wireless sensors, controllers, and other devices has a great deal of potential, especially if you’re a mad engineer like me. There’s rich territory here, just begging to be explored by intrepid adventurers. The early Myo prototypes are, I think, merely the tip of the proverbial iceberg. I can hardly wait to see what else is possible!

Two Chaosbunnies in the desert: Faffing

Posted on by
Reply
Part 1 of this saga is here. Part 7 of this saga is here.
Part 2 of this saga is here. Part 8 of this saga is here.
Part 3 of this saga is here. Part 9 of this saga is here.
Part 4 of this saga is here. Part 10 of this saga is here.
Part 5 of this saga is here. Part 11 of this saga is here.
Part 6 of this saga is here. Part 12 of this saga is here.

Fresh from the spectacular triumph that was Susanville, the semi-mythical old mining town on the end of an ancient and long-derelict road that nobody save Apple knows about (and boy, would I love to know how Apple added it to their maps!), we spent the next couple of days in a kind of Ghost Town Limbo. We had entered that period in our adventure I have come to think of as The Faffing.

It is a fact known to anyone familiar with the Great Northwest that the ruins of nineteenth-century boom town lie in scattered disarray across the countryside like clothing at a drug-fueled Roman orgy. Once you get into the desert of the Great Northwest, it’s difficult to swing a cat without hitting the remains of some old logging or mining building from the 1800s.

That is, in fact, exactly the point of our journey. Other countries, possessed of a less exuberant excess of rolling countryside that nobody much wants, or perhaps gifted with a more pragmatic approach to resource allocation, don’t have long-abandoned towns that just kinda sit around for a century and a half because nobody can be arsed to do anything about them.

And even in places where people do want to do things with the land, there’s just so damn much of it that if there happens to be an old tumbled-down log cabin or a gold processing building building of some sort, nine times out of ten it’s easier to work around it than to move it. So it stays there, quietly being Somebody Else’s Problem.

It’s this sort of neglectful attitude toward the dwellings of times gone that drew Bunny to the tour, as her native land of the United Kingdom of Britainlandia is, being on an island, much more conscious of making use of every square meter or hectare or whatever the hell unit of measure they use all the way over there.

So during The Faffing, we saw, and photographed, a great many tumbled-down buildings standing silent testimony to times long gone, though we were rather less successful in finding any real ghost towns. What ghost towns there are are often poorly marked, and the ones that are well-marked, we discovered, seem to be conspicuous in their existential absence when one goes to the appointed spot.

The Faffing was not a time of no productivity, but it certainly didn’t compare to the discovery of what was left of Susanville. Still, we did discover some pretty neat stuff as we wandered about aimlessly in the Adventure Van.

Like this abandoned building and rickety, half-collapsed footbridge over a surprisingly deep and treacherous creek, spotted by Bunny’s eagle eye as we drove down some county road or other.

Or this house, which looks like it ought to feature quite prominently in an episode of Scooby Doo. It was on the outskirts of some quiet little town in Oregon whose name I’ve already forgotten, but man, if I were a kid living in this town, this place would likely haunt my nightmares.

There are tons of old farm buildings lying in ruins all about the Pacific Northwest, some of which look like they might collapse into dust if some poor unsuspecting sod the next county over sneezes too vigorously.

We struck gold with this find, the remnants of an old one-room school building a couple miles outside the semi-but-not-really ghost town of Shaniko, Oregon. Bunny, as per usual, spotted it and said “Hey, pull over!”

The schoolhouse looks a lot Little House on the Prairie and a lot more “Outtake from an episode of Dexter” these days, which adds, I think, to the ambiance. It’s a cool old building, for sure.

We took a random detour from looking for old ghost towns when we spotted a sign pointing to a lava flow in an ancient forest, because, you know, chaosbunnies. The detour took us a lot farther out of our way than the sign suggested, but after quite a lot of travel, we did indeed eventually come to the ancient lava flow.

Oregon’s terrain has been shaped by catastrophic geology, much of it volcanic. Enormous seas of lava once covered quite large expanses of it, wiping out everything around them and leaving behind terrain that, millennia later, still looks kind of like a lunar landscape.

Where these huge flows of lava encountered forests, the lava encased the trees in solid rock. The trees died and disappeared, leaving these formations as their only remains.

We took quite a few pictures, but as this was only incidental to our real purpose (if indeed chaosbunnies can be said to have a “purpose,” as opposed to a mere intention) we did not linger long, and were soon off.

We found some more ruins, this time just outside yet another town whose name I’ve already forgotten but that seemed to be a regional freight transportation hub, judging by the astonishing number of large trucks that formed an unending stream of traffic through the town.

It really is quite astonishing just how many of these ruins lie about, being ruins. We stopped frequently to take pictures of yet another ancient relic of centuries gone by, sometimes to the consternation of state police who wanted to make sure that we hadn’t abandoned the van and headed off through the countryside with cameras and bunny ears and tea because we were, you know, like, in trouble or anything.

Just what set of unfortunate circumstances might force someone to abandon a van armed only with these three aforementioned things is not entirely clear to your humble scribe. Still, it is gratifying to know that people were looking out for us.

We still had some interesting random discoveries, and a few moments of stark terror, closing inexorably in on us, which I shall detail in later episodes of this chronicle.

I have a small stuffed hedgehog that accompanies me almost everywhere I go. Her name is Lilith. Those of you who saw us on the European book tour likely recognize her. Lilith rode on the Adventure Van’s dashboard during The Faffing, and appeared quite unfazed by the whole experience.

ISIS, WordPress, and insecure Web hosts, oh my!

Posted on by
Reply

It is a fact universally acknowledged that running a WordPress site is a dangerous thing to do. WordPress is often attacked by hackers, because so many sites run it and so many people are not good about installing security updates. The hackers will use the commandeered sites for all sorts of nefarious purposes: installing malware, hosting phony bank pages that they then spamvertise in “Update Your Account Now” spam emails, hosting redirectors that lead people to spam or porn or phish pages.

I get a lot of spam emails, and when they lead to phony bank pages I will often check the top level of the site that the phony bank page is hosted on to see what’s going on. As often as not, the phony bank page is living on a WordPress site whose owner chose a bad password or was negligent about updating, and got pwn3d.

So it was that I found a fake PayPal page and, when I checked the home page of the hijacked site it lived on, I saw something odd: the home page had been deleted and replaced with a message reading “HACKED BY DARKSHADOW-TN AND ANONCODERS”.

I didn’t realize I was about to stumble on a massive (and still ongoing) security breach at two large Web hosting companies, Arvixe and Eleven2.

   

Curious, I did a Google search for that phrase (hacked by darkshadow-tn and anoncoders) and found thousands of Web sites that had been hacked and defaced with that message. And I do mean thousands–nearly three thousand in all.

I started working through the Google list, visiting each Web site to see if the defacement was still present. I discovered that there were three basic types of defacement, almost all of them done to WordPress sites.

Some sites had their content removed and replaced with a simple text message.

Some had the content left alone, but the page title changed to read “+ADw-/title+AD4-HACKED BY DARKSHADOW-TN AND ANONCODERS+ADw-DIV style+AD0AIg-DISPLAY: none+ACIAPgA8-xmp+AD4-“. This appears to be a misconfiguration of the automated tools the hackers used to deface the sites; it seems the hackers were trying to insert this in the page’s body.

Some had a defacement message injected into the body of the Web site, usually at the top.

So, who are Darkshadow and Anoncoders?

Anoncoders is a loosely-organized group of Islamic computer hackers who use automated tools to hack poorly secured Web sites and deface them with anti-Israeli and pro-Muslim messages. They even have a Facebook page and everything.

Darkshadow is a group of pro-ISIS Muslim extremists who, like Anoncoders, often hack sites to deface them with pro-ISIS, anti-Israel, and/or anti-Western messages. They used to have a Facebook page, but it’s gone as of the time of writing this.

So we’ve got a couple of pro-Muslim, anti-Western hacker groups who generally use automated tools to hack low-lying fruit, such as WordPress and Drupal sites that are running old versions or otherwise poorly secured. So far, so ordinary–dare I say, even boring. These kinds of attacks are a dime a dozen.

I started making a list of hacked sites, checking who the Web host was, then sending emails to the Web host abuse address letting them know they were hosting hacked sites.

That was when things got interesting.

As I went through the results of the Google search, cataloging thousands of hacked sites, I started noticing something weird: all the hacked sites were on only two hosting companies. Roughly half of them were hosted by Arvixe, and the other half were hosted by Eleven2, an outfit that’s a subsidiary of a company called IH Networks.

That raised the possibility that this wasn’t merely an automated, script-kiddie attack against a bunch of low-hanging fruit, but a breach of two hosting company’s Web control panel software or some other weak link in the hosting companies’ software infrastructure.

I sent off emails to both Web hosts letting them know they had been the subject of a massive breach.

Unsurprisingly, neither of them responded. I say “unsurprisingly” because I have a long history of discovering massive security breaches at large, popular Web hosting companies that go unrepaired for months or even years.

I sent notifications to both of those Web hosting companies about three weeks ago. Upon re-examining the hacked sites today, I discovered, disappointingly, that the security problems have not been fixed and the sites remain compromised.

So I went back and looked at past abuse reports I have filed with those companies. This is my first contact with Eleven2, but I noticed that hacked sites I had alerted Arvixe to as long ago as last September are still compromised.

It seems there is a lesson here: Both Arvixe and Eleven2 have severe ongoing security problems and are more or less completely indifferent to fixing the problem.

If you use either of these Web hosting companies, I would suggest it might be prudent to examine your site carefully for security breaches, and to move to a different Web host as promptly as possible. It’s never a good sign when a Web host ignores reports that their servers have been breached by ISIS-affiliated hackers.

Some random late-night musings on profanity

Posted on by
Reply

When I was a kid, I had a little plaque with a poem on it hanging up on my bedroom wall. I have no idea who wrote the poem or where it came from, but it was there on my wall for so long I memorized it.

Never say die, say “damn!”
It isn’t poetic,
it may be profane,
but we mortals have need of it,
time and again.
And you’ll find you recover from Fate’s hardest slam,
if you never say die, say “damn!”

I love profanity. I’ll admit it. Supposedly “profane” language is language that communicates quickly and effectively, with lovely immediacy. It’s shunned because it’s particularly well-suited to conveying unruly emotions–messy, untidy emotions that some folks would like to pretend don’t exist.

But they do, and “vulgar” language is singularly eloquent in expressing them.

There is tremendous nuance in vulgarity. If I call someone a hopeless fuckmuppet, that conveys a different meaning than if I say they’re a hopeless fuckwit or a hopeless fuckhead. Each of these communicates disdain, to be sure, and in a far more visceral way than saying “I rather do believe that chap is quite distressingly incompetent at going about this business of life,” but those few syllables after the vulgarity carry a great deal of subtlety and differentiation.

People who fear vulgar language fear life, for it is a fact not easily overlooked that some parts of life are vulgar.

Call to the Lazyweb: Backup

Posted on by
Reply

I have a problem I’ve been beating my head against for a while now, and I’ve finally given up and decided to put this out there to the hive-mind of the Internet.

I have a laptop I want to keep regularly backed up. I have external hard drives that I use to do this, one that I carry with me and one that stays in my office in Portland. I use cloning software to duplicate the contents of the laptop onto them.

But I also want to do incremental backups, Dropbox-style, to a server I own.

I do have a paid Dropbox account and I do use it. (I also have a paid Microsoft OneDrive account.) But I’d really prefer to keep my files on my own server. What I want is very simple: the file and directory structure on the laptop to be mirrored automatically on my server, like such:

This should not be difficult. There is software that should be able to do this.

What I have tried:

Owncloud. They no longer support Mac OS X. Apparently they ran into problems supporting Unicode filenames and never solved it, so their solution was to drop OS X support.

BitTorrent Sync. This program is laughably bad. It works fine, if you’re only syncing a handful of files. I want to protect about 216,000 files, totaling a bit over 23 GB in size. BT Sync is strictly amateur-hour; it chokes at about 100,000 files and sits there indexing forever. I’ve looked at the BT Sync forums; they’re filled with people who have the same complaint. It’s not ready for prime time.

Crashplan. Crashplan encrypts all files and stores them in a proprietary format; it does not replicate the file and folder structure of the client on the server. I’m using it now but I don’t like that.

rsync. It’s slow and has a lot of problems with hundreds of thousands of files. The server is also on a dynamic IP address, and rsync has no way to resolve the address of the server when it changes.

Time Machine Server. Like CrashPlan, it keeps data in a proprietary format; it doesn’t simply replicate the existing file/folder structure, which is all I want. Like rsync, it has no way to cope with changes to the server’s IP address.

So you tell me, O Internets. What am I missing? What exists out there that will do what I want?

So you Want to Have a Threesome…

Posted on by
Reply

Group sex. It’s arguably one of the most common sexual fantasies that exists, right up there with the one about your French teacher, a paddle, and a giant pot of honey. It’s also one of the most fraught: How do I find people who want to have a threesome? What happens if I’m with a partner who’s more into the third person than into me? What if I get jealous? What if my partner gets jealous? What if there’s Drama? What if I feel left out?

I’m a huge fan of group sex. I lost my virginity in an MFM threesome (something I talk about in my memoir The Game Changer), and in the time since I’ve had far too many threesomes (and quite a lot of foursomes, and a few fivesomes, and some elevensomes, and at least one fifteensome) to count.

Group sex is hella fun, though like any kind of sexual activity it’s not everyone’s cup of tea, and that’s okay. If group sex is something that interests you, it can be hard to know where to get started and how to stack the deck in favor of a good experience for everyone. That’s what this guide is for.

What is group sex like? Fun. I’ve consistently found it to be amazing. First, though, I’ll talk about what it’s not like.

What group sex isn’t

It’s not (usually) like what you see in porn flicks or Hollywood movies. The other folks involved are people; unless you’ve hired a pair of sex workers, they’re not there just to be part of a male wank fantasy.

I’m afraid I have some bad news for the straight dudes in the audience: When you’re having sex with two (or more) women, they’re not there just for you. It’s not all about you and your pleasure. A typical threesome wank fantasy is about two women who make out or have sex with each other just to get the dude hot, but secretly they both need the D.

That’s not likely to be how it happens. Maybe they’re both straight. Maybe they’re both bi and more into each other than him. Like I said, I’ve had a threesome with a bi woman and her lesbian girlfriend; we both paid attention to the bi woman, but her girlfriend and I had no contact at all. It was all about the bi woman, not all about me.

In fact, threesomes with two men are about as common as threesomes with two women–and no, you don’t need to be bisexual to have a threesome. Three men can have a threesome, as can three women. If you’re a straight guy, you also need not feel threatened by the presence of another penis in the room. As many women as men fantasize about threesomes, and often, women quite fancy the notion of two men paying attention to her as much as men like the idea of two women paying attention to him.

Which brings up another point: unless you’ve explicitly negotiated otherwise, you can’t assume it’s a free-for-all. You don’t get to do whatever you want with both of the other folks involved. Everyone is going to come to group sex with their own limits and boundaries. If you ever want to have a second threesome, pay attention to those boundaries! Yes, people are getting naked and sweaty. No, that doesn’t (necessarily) mean you get to have sex, or perform any particular act, with either or both of them. They have the right to say what you may or may not do with their bodies. (And so do you, by the way. You are never obligated to have sex with someone just because they’re involved in sex with someone else. I am straight, so when I have threesomes involving another guy, he and I don’t touch. That’s fine. Your body, your rules.)

Finally, a lot of folks naively assume “if I’m with someone and we both have sex with the same third person, we won’t feel jealous because we’re both there!” Wrong. Jealousy is about insecurity, and it’s possible to feel insecure even when you and your partner are having sex with the same lover. The best time to get a handle on that is before you invite someone else into your bed, not after.

What group sex is

Fun. Lots and lots of fun. Threesomes can happen in a wide range of configurations with a wide range of activities that go way beyond the stereotypical porn shoot or wank fantasy. They offer virtually unlimited ways for three people to come together and explore.

There’s something delicious about having two sets of hands and lips and tongues on your body that’s just amazing. It’s fun to be the one receiving that attention, but it’s also fun to be participating in giving someone else that kind of pleasure.

It’s cozy. Three people all wrapped up together is really nice. It’s incredibly intimate, both physically and emotionally. I remember a situation where I, one of my girlfriends, and my FWB all spent the night together. We had lots of sex and fell asleep all tangled up together, but you know what the most fun part was? The next morning when we woke up and showered together. The three of us barely fit in the shower stall, and all of us were still sleepy and a bit giddy from the night before, and it was incredibly warm and cozy and intimate.

The sex is amazing. There are a lot of sensations and activities that are not possible with two people that are possible with three.

If you’re a straight dude in an FMF threesome, for instance, it’s not necessarily a question of having ordinary PIV intercourse with two women, though of course that can be part of it (and it’s hella fun when it is). I’m a big fan of pegging (having a woman use a strapon on me), and in threesomes, there are all kinds of fun combinations available. I’ve been on top of one lover having PIV sex with her while another lover is behind me pegging me…that was fun! (We broke the bed.) I’ve been lying on my side spooning a lover and penetrating her while another lover is spooning me and pegging me. There are all kinds of varieties in any kind of threesome, and a little imagination goes a long way.

It’s a lot of fun when bondage is involved, too. The night before my girlfriend and my FWB and I ended up in the shower together, my girlfriend and I tied my FWB to the bed and we both took turns playing with her. On another occasion, I was tied to the bed on my back while one lover straddled me and rode me, and another lover sat on my face. The two of them made out with each other while they both took pleasure from me. As you can imagine, both experiences were really hot.

So how do you make it work? What are the rules for group sex?

In my experience, the most important rules for threesomes (or foursomes or orgies or any other group sex) are not that different from the most important rules for two-person sex. Sex is sex, after all, and it doesn’t turn into something qualitatively different for n>2. As with any sex:

  • The folks involved are people, not sex toys or objects for your pleasure. Their needs and desires matter just as much as yours.
  • Consent matters. This means do not do things without someone else’s consent. Do not, for example, assume you have sexual access to everyone else involved. (I have had threesomes with two women where one of the women involved self-identified as lesbian. I have had threesomes with two women where one of the women was the girlfriend of my partner. In neither case did I assume that just because there were two women there, that meant I got to have sex with both of them.)
  • Set and respect boundaries. Talk about what access you will and will not allow to you. You don’t have to have sex with all the other folks just because your orientations and/or wibbly bits line up!
  • Talk about and plan for sexual health. Use barriers, exchange sexual histories, or do whatever else you need to do to protect your health.
  • I have found that sex of all sorts usually goes better with friends than with strangers. It is common for people new to group sex to want to try it with strangers, because they fear that having sex with people they know will make things “awkward” or induce jealousy. In my experience, though, inviting a random person into your bed goes along with inviting random communication skill, random sets of expectations, random STI risk profile, and random risk of Drama into your bed. With friends, you’ve already established a baseline, I hope, of communication and trust. Those things make sex better.
  • Communication matters. If you’re feeling something you didn’t expect, communicate! If you want (or don’t want) something to happen, communicate!
  • Treat the other people with respect and compassion. They are people too, remember? Treating people well is the key to having everyone have a good experience. When you treat other people well, you might get to play again!
  • If you do have an unexpected response, try to deal with it with grace. It’s okay to feel unexpected things when you try something new. If you need to stop, stop, but do so calmly and without shame, blame, or drama.
  • Don’t spend all your time trying to script exactly what happens or how it goes, unless scripting sex is your particular kink. Sometimes people are tempted to try to avoid jealousy by using a script. That’s unlikely to work. Jealousy is caused by insecurity and it’s hard to navigate around insecurity with rules or scripts.

Special considerations for safer sex

Group sex poses special challenges for safer sex that you might not have to think about when you’re accustomed to the more one-on-one variety. In addition to being aware of transmitting potential pathogens to your partner or receiving them from your partner, you also have to be aware of transmitting them between participants.

Some of these guidelines are common sense. If you use barriers like condoms, for instance, don’t use the same barrier with two different partners. Change condoms when moving between partners.

The same goes for use of sex toys or fingers. Be aware of who you’ve touched and with what. Cover toys and change the coverings between partners, or use toys with only one partner. Don’t put your fingers in one person’s wibbly bits and then put them in another person’s bits, if those people aren’t fluid-bonded.

Oral sex requires particular care. We don’t necessarily think of it as a vector between two folks who aren’t directly intimate with each other, but it can be. Use dental dams or condoms if you’re offering oral sex to two partners, or use mouthwash between partners. Be aware of where your bits have been, where your fingers have been, and yes, where your tongue has been.

Finding partners

Having group sex doesn’t take magic superpowers or arcane pickup secrets you learn from the seedier corners of the Internet. It does, however, help to let go of conventional attitudes about sex. We are all, throughout our lives, inculcated with a lot of baggage around sex, and some of that baggage makes it really hard to have threesomes.

In my experience, there are three approaches to trying to find group sex.

A lot of folks start out with a conventional relationship, then search for someone who will basically be an expendable fantasy fulfillment object. That can feel nice and safe. The third person is barely even a person. In fact, a lot of folks set strict rules on what that third person can and can’t do, or even set rules that it has to be an anonymous stranger from Craigslist rather than a friend or acquaintance, in the belief that this will avoid jealousy or awkwardness.

There are several problems with this approach. First, in my experience, the couples who do it are often trying to outsmart jealousy by planning and scripting a scenario they think will keep it at bay. But jealousy doesn’t come from sex. Jealousy comes from insecurity. If you see your partner enjoying someone else, and you’re sexually insecure, you will likely feel threatened and jealous even if the other person is a stranger, even if you’re having sex with that person at the same time, and even if you’re following a script. Second, sex with a stranger can feel less threatening than sex with a friend, but the problem is a random stranger brings random STI profile, random integrity or lack thereof, random baggage, and random drama to the table. Third, it encourages thinking of that person as a thing, not as a person with needs and desires.

It’s easier to take this approach than to build good tools for self-confidence, security, communication, and respect. A lot of folks take this approach because they don’t want to (or don’t know how to) build those tools, and the results are mixed. It is possible to have a good threesome with this approach, but it’s surprisingly hard. I think every threesome horror story I’ve ever heard (and I’ve heard quite a lot of them) started with this approach.

The second approach is to join a swing club or lifestyle community. This approach is really intimidating to a lot of people. There are all kinds of stereotypes about swingers, it can be hard to admit to other people what you want, and a lot of folks will say things like “sure, I want to have group sex, but that doesn’t mean I’m like all those perverts!” (Seriously, I’ve heard people say just that.)

The advantages to this approach are that it’s safe–the lifestyle community tends to have zero tolerance for abusive or disrespectful behavior, there is a strong culture of not disrupting other people’s relationships, there are meet and greets where you can get to know folks in the community in a low-pressure social setting without sex, and you’ll meet people who are on the same page about what you want. The disadvantage is that it’s intimidating at first, and if you’re still carrying around a bunch of baggage like sexual insecurity, sex negativity, or poor communication skills, you’re going to have to address those. It also can tend, depending on where you are, to favor people who are conventionally attractive. But the lifestyle community offers a structural way to get what you want on your terms.

My approach is different. I’ve never “found” a partner for a threesome by going out and looking. All the threesomes I’ve ever had have involved people I already knew. I’ve always had a social circle who are open and sex-positive, so I’ve never had to go out searching; it’s always been more like “hey, I like you, I’d like to explore bring more physically intimate with you, whaddya say?”

I’ve tried to work on myself to build strong self-esteem and security, to confront my fears and insecurities, to develop the qualities of integrity and transparency, to be able to talk about sex without fear or shame, and to let go of the idea that if my lover digs sex involving another person that means I’m not good enough or whatever.

I’ve also worked hard to understand three principles that sound obvious but aren’t:

  • I can’t expect to have what I want if I don’t ask for what I want
  • If I feel something bad or unpleasant that doesn’t necessarily mean someone else is doing something wrong
  • Other people are real, which means their needs and desires are just as valid as mine.

Having done that, I deliberately built a social circle of open, sex-positive people. I got over feeling intimidated about going to kink or lifestyle social groups. I sought out people who have positive, healthy attitudes about sex. I worked on my own integrity.

And it really paid off. And because my social circle is made up of folks with good communication skills and positive attitudes about sex, it’s remarkably drama-free.

This approach takes the most work of the three, but it’s work you do on yourself. Being confident and secure, being open, having good communication skills, being willing to face down your fears and insecurities help you find partners, sure, but they also help you live a better, happier life.

Hey, now, hey, now, now…

Posted on by
Reply

Any goth worthy of their black stompy boots is familiar with the Sisters of Mercy song This Corrosion, and indeed has probably spent many a late night dancing to it, optionally while smoking clove cigarettes.

To help all of us better understand this song, which has touched the lives of so many goths, I offer: a flowchart for This Corrosion, the better to comprehend the inner workings of this important contribution to the goth arts.

Two Chaosbunnies in the desert: Susanville, or, Siri knows better than Google

Posted on by
1
Part 1 of this saga is here. Part 7 of this saga is here.
Part 2 of this saga is here. Part 8 of this saga is here.
Part 3 of this saga is here. Part 9 of this saga is here.
Part 4 of this saga is here. Part 10 of this saga is here.
Part 5 of this saga is here. Part 11 of this saga is here.
Part 6 of this saga is here. Part 12 of this saga is here.

The next stop on our whirlwind tour of ghost towns, cunningly planned through extensive and repetitive Googling of “ghost towns west coast,” was Susanville.

It would prove an elusive target. Susanville was established in 1864 when some bloke found a big lump of gold in a remote corner of Oregon, and a bunch of other blokes came flocking to the spot hoping to find more lumps of gold. Times being what they were, it wasn’t considered a proper town because it didn’t have its own post office, so in 1901 a bunch of miners, ahem, stole the post office from a neighboring mining town, making Susanville an improper town. Or so the story goes. It is not clear to your humble scribe how one steals a post office, nor whether the legitimacy conferred by a post office remains if the post office is stolen. Such matters are not for me to understand.

I used Siri to plot us a route to Susanville, and we were off. The trip started promisingly enough when we found a turnoff precisely where Apple Maps said it would be, with a much-faded sign suggesting we were on the right track.

Alas, things soon became complicated. I navigated the Adventure Van for quite a long while on a narrow single-lane dirt, steadily moving farther and farther from civilization, until Siri told me to take a left turn onto a road that most completely and utterly did not exist. There was not the slightest sign that a left turn had ever existed in that spot, nor that one is ever likely to exist any time between now and when the stars burn out.

Bunny and I scratched our heads. “Let’s keep going,” she said. “Maybe GPS isn’t sure where we are. We’ll look for a left turn.”

We kept going. A left turn failed to appear. After we had traveled a considerable number of miles, with Siri telling us “make a U-turn, make a U-turn” over and over until madness threatened, I got the idea to try Google Maps.

This is not, I would like to point out, ordinarily such an insane idea. Google often knows better than Siri the ways of human navigation. In this case, however, Google was worse than useless. Siri showed us the road we were on, if I may be forgiven the literary excess of use of the word “road;” Google showed nothing but an endless expanse of featureless green. Where Siri believed there to be an exuberance of roads, including the one we could not find. Google showed nary a trace of human existence at all.

We turned around. “Turn right,” Siri said. Again, the road onto which we were supposed to turn persisted in its obstinate failure to exist.

“Maybe there used to be a road here,” I said. Bunny looked doubtful.

I stopped the van. “Siri says there’s a road right here,” I said. “Let’s get out and walk. Maybe we’ll find it.” Bunny still looked doubtful.

We walked for a while. “Siri says the road is right here,” I said. “Let’s just stay on the road according to GPS and see what happens.” Bunny looked very doubtful.

Still, the one thing you can count on if you’re a chaosbunny is there will be chaos. We set out through the field, watching the phone closely to keep the little blue dot centered on the road Siri insisted was there and reality insisted just as passionately was not.

When we’d walked for ten or fifteen minutes, Bunny pointed ahead. “I think this might be a road after all,” she said. “Look!”

Sure enough, there was a slight depression that was just regular enough to make it seem that, if you squinted hard enough and perhaps dropped acid, might seem it was once a road.

With a new surge in confidence, we kept walking. After another twenty or thirty minutes or so, and an inconvenient but fortunately narrow stream we were forced to jump across, we found… a road. A real, genuine, unmistakeable, honest-to-God road, exactly where Siri told us it would be.

We trotted along the road and rounded a large outcropping of rock, and then, there in front of us…a decaying house, tucked in the shadow of tall trees, glorious in its ruin. We had begun to believe it no longer existed, so as you can imagine, gentle reader, that moment when we rounded that corner made our hearts sing with joy.

Ladies and gentlemen, I present to you: Susanville, Oregon.

We poked around the ruined buildings for a while, taking pictures like mad and giggling like…well, like we were mad.

The largest house we found maintains silent watch over what used to be an old gold stamping mill, there on the other side of the river. Little remains of the mill but a heap of lumber.

I’d love to know what life was like out here, back when people came to this place in search of wealth. The few remaining houses are quite large, and were probably surprisingly comfortable given the remote inhospitality of the place.

Some of the remaining structures look a bit creaky. I was reasonably sure they probably wouldn’t collapse on us without warning, entombing us in a pile of old lumber and avarice.

When tea-time came around, Bunny sat down on an ancient and massive tree stump and…well, looked very English.

Tea properly handled, we resumed our explorations. I have no idea what this is, but it’s quite lovely.

We forded the river to examine the ruins of the stamping mill more closely. At first, I thought it was a lumber mill, but Google says no, this is where gold ore was brought to be crushed and processed. Of course, Google also said there was no road out here, so what does Google know?

The view back to the largest house from the mill is quite beautiful. I don’t imagine life here was easy, but it certainly did offer scenic natural beauty in spades.

In fact, it’s so lovely I’m a little surprised nobody lives out here now.

Susanville was amazing, and it was with heavy hearts we bid farewell to it and started the long hike back to the Adventure Van.

As fantastic as Susanville was, still more wonders waited in our future, though we had to pass through stark terror to get there. That story will come in time.

WordPress security issues: this is a bad one, folks

Posted on by
Reply

It’s been a bad week for WordPress. If you’re a WordPress user, I highly recommend you check as soon as possible to ensure your site is updated, all your plugins are up to date, and your site is free of unexpected users and malicious combat.

WordPress 4.4.2 was released February 2. This release fixes two known security flaws.

Hot on the heels of this security release come two worrying developments. The first, reported on over at the Wordfence blog, concerns a new WordPress attack platform that makes it easier than ever for criminals to attack WordPress sites. From the article:

The attack platform once fully installed provides an attacker with 43 attack tools they can then download, also from pastebin, with a single click. The functionality these tools provide includes:

  • Complete attack shells that let attackers manage the filesystem, access the database through a well designed SQL client, view system information, mass infect the system, DoS other systems, find and infect all CMS’s, view and manage user accounts both on CMS’s and the local operating system and much more.
  • An FTP brute force attack tool
  • A Facebook brute force attacker
  • A WordPress brute force attack script
  • Tools to scan for config files or sensitive information
  • Tools to download the entire site or parts thereof
  • The ability to scan for other attackers shells
  • Tools targeting specific CMS’s that let you change their configuration to host your own malicious code

The post includes a video of the attack platform in action.

Second, from Ars Technica, is a report of WordPress sites being hacked and made to download ransomware to visitors’ computers.

It’s not currently clear how the sites are being compromised, but it may be via an unknown zero-day security exploit. From the article:

According to a Monday blog post published by website security firm Sucuri, the compromised WordPress sites he observed have been hacked to include encrypted code at the end of all legitimate JavaScript files. The encrypted content is different from site to site…

It’s not yet clear how the WordPress sites are getting infected in the first place. It’s possible that administrators are failing to lock down the login credentials that allow the site content to be changed. It’s also feasible that attackers are exploiting an unknown vulnerability in the CMS, one of the plugins it uses, or the operating system they run on. Once a system is infected, however, the website malware installs a variety of backdoors on the webserver, a feature that’s causing many hacked sites to be repeatedly reinfected.

What can you do to protect your WordPress site? If you’re running WordPress, I strongly, strongly urge you to do the following:

  • Use strong admin passwords! I can not emphasize this enough. Use strong admin passwords! Criminals use automated tools to scan thousands of WordPress sites an hour looking for weak passwords. A normal WordPress install will be scanned dozens to hundreds of times a day. Use strong admin passwords!
  • Update all your sites RELIGIOUSLY. When a WordPres security patch is released, criminals will go to work examining the patch to see what it fixes, then develop automated tools to automatically hack unpatched sites. You may have only 24-48 hours between when a security patch comes out and when people start using tools that will automatically compromise sites that haven’t installed the patch. Turn on automatic updates. Keep on top of your site.
  • Install a tool like WordFence. This free plugin will protect your site by locking out people who use known attack tools or brute-force password guessing attempts. It will notify you by email of hack attempts and updates that need to be installed.
  • Install a tool like WPS Hide Login to move your login page to a hidden location, like /mysecretlogin instead of /wp-login.php. This will go miles toward securing your site.

I highly recommend you install the free Infinite WP tool as well. It’s a plugin plus a Web app that will notify you of updates and allow you to update one or many WordPress sites with just one button click. This is a great way to keep on top of security patches.

Also, absolutely do not assume you’re safe because you’re an obscure little blog that nobody cares about. The criminals will still find you. They use totally automated tools to scan for vulnerable WordPress sites looking for installations to exploit. It doesn’t matter if only you and your mom know about your site–criminals will find it and will exploit it.

Stay safe!