Everything In Between

If your project so much as pretends to have a profit motive, I will tell you to go fuck yourself and your project.

Archive for the ‘Business & E-Commerce’ Category

I quit, Because Capitalism

4 comments

One lazy Saturday morning in New York City not so long ago, I woke up hungry. I knew there was a great little bistro with delicious coffee and a $4 scrambled eggs breakfast special not far from where I was staying, so I figured I’d go eat there. I remembered the place because the last time I’d been there, on a weekday shortly after noon, it was empty, quiet, and the wait staff seemed to enjoy my company as I chilled in the back corner for several hours.

But as I approached the restaurant on this mid-day weekend, it was overflowing with people, and a hurried anxiousness was oozing from every smile the busy wait staff offered their customers. Augh, I thought to myself. It’s the weekend.

“I hate capitalism,” I said, invoking that now-clichéd phrase so many disaffected youth cite whenever, in many of the older generations’ eyes, they are “being lazy.” “And fuck the 9-5 workday,” I said. “And FUCK WORK!”

Who the fuck are you to say “fuck work”?

First of all, it’s important for me to mention near the start of this story—so this seems as good a place as any—that I’m a person with a sizeable chunk of class privilege. And yet, the reason for that may not be what you expect. Let me explain.

My parents are immigrants to America, first arriving in New York City in the early 1980’s with little more than the clothes on their backs and some savings in their pockets. In their own ways, both are artists. My mother is an art teacher and my father is a graphic designer.

By the time I was born, my father was working 70-hour-plus weeks for micromanaging bosses and my mother took a second teaching job to make sure our family could make ends meet. I didn’t grow up in squalor, but I didn’t grow up in splendor, either. When my brother was born, our studio apartment in the back of the first floor of an “inner-city” neighborhood was even more cramped.

I grew up hating my religious day school, hating god, and hating not just homework, but all work. However, I also grew up loving books, my parents, and any activity whatsoever that I could learn something doing. My favorite video game was SimEarth because it taught me about how a planet’s weather impacts the ability of lifeforms to survive and evolve. That’s why my favorite movie was “Jurassic Park.” For my birthday one year, a classmate gifted me with the Jurassic Park soundtrack on CD, and it served as my introduction to scores of John Williams soundtracks I’d later pirate off Napster, even before seeing their associated film.

My second favorite video game was SimTower, because it taught me about capitalism. SimTower, for those whose only familiarity with the “Sim” series of games is the “SimCity” classic, is a game where you play a real estate tycoon who’s purchased a plot of land and is trying to build a skyscraper. It’s basically SimCity-in-a-building. You place shops, elevators, stairways, fire escapes, and more in various places on the high-rise you build, floor by floor, all with the goal of watching your bottom-line soar.

Most people will never own a skyscraper. Hell, most people on Earth will never even walk into the lobby of one. But for a struggling child in a struggling family, getting to play a real estate tycoon was a helluva lot more fun than getting browbeaten into being at religious school at 8:15 in the morning to stand for 60 minutes of prayer I didn’t even believe in and then spend half the rest of my day in Bible class, day in and day out.

By the time I was 12 and in fourth grade, I’d had numerous different knowledge-fetishes, including archaeology, astronomy, and genetics. At that point, my newest obsession was biology. When our “science class” consisted of going to the park and outlining leaves with crayons, I was reading books like “Muscular Dystrophy,” and “Your Brain.”

But I digress. The point is that, eventually and with much familial infighting, I dropped out of school. Shortly thereafter, I began getting interested in computers and by the time I was finishing my teenage years I had moved out of my parents’ apartment into my own place in New York City’s West Village, and was running my own web design and development business with a focus on website accessibility for people with disabilities. And, to everyone’s amazement, I was actually breaking even.

One thing lead to another and within a few years I was a highly-sought after technology consultant who, during my heyday, spent my days sitting across from the Chief Technology Officer of a Fortune 100 company that no longer exists because they helped cause the financial crisis of 2008. I was 23 years old. I wore suits to work. I made boatloads of money. And I hated it.

If you ever want to avoid questions like, “Why did you drop out of school?” slip the fact that your desk was next to the desk of a CTO of a major multinational bank early in every conversation. Trust me, I speak from experience on this one.

What this all means in practice is that I’m no longer lower- or “lower-middle-class.” I’m solidly middle-class now. I know this is true because the first year I made more money in 6 months than my parents annual salaries combined, two things happened. First, they stopped pestering me about dropping out of school. And second, my taxes quadrupled.

But it also means, in a capitalist society dependent on technology to facilitate every major and minor function of its ongoing machinations, I’ll never be “poor.” Because even if I have no money—and there have been times in my life like that—I will always have the ability to access money in what is to many people an astonishingly short amount of time.

That’s class privilege. Class privilege is not what one spends one’s money on. Class privilege is not a number in one’s bank account. Class privilege is one’s ability to lose all one’s money and then get it back—and easily!—because when you have class privilege, you don’t even have to care about money, budgets, or personal finances. I’m pretty sure I have a 401K from those years in corporate jobs somewhere in my name, but I have no idea where and I don’t even need to know. That’s class privilege.

I’m not class-privileged because I come from a rich family. (I don’t.) I’m not class-privileged because I graduated from a fancy school. (I didn’t.) I’m class privileged because, in today’s Information Age, I’m a magical creature who can talk to computer systems and make them do what you want.

I’m employable. Or, put more crudely: I’m sellable. My service offering? Robot taskmaster. Overseer not only of machines, but of people-who-work-with-machines, too. When I was a highly-paid data center automation technician, my entire job function was to set up computer systems in such a way as to obsolete the jobs of scores of lower-level computer operators and system administrators. (Yeah, I know, it’s gross.)

Of course, if you know anything about me (and if you don’t, let me tell you), you know that I don’t currently have a “job.” I’m a “digital troubadour,” or the information age’s equivalent of a wandering minstrel. These days, I live on the streets, sleep under overpasses and on generous people’s couches, and my primary source of earned income is donations from, yes, people like you. People who read my writings, like this one, watch my advocacy videos, and send me electronic donations, or put money on my café gift cards to keep me caffeinated and fed. (And I’ll always take the opportunity, like now, to say: hey, thank you for that. So, hey, thank you for that.)

But recently, I got a job. I didn’t even last the month, because it reminded me of all the reasons why I really, truly, hate capitalism. Here’s what happened.

A “dream job” is just a different kind of nightmare.

Every so often, I’m asked if I’m available for a tech gig. Most gigs are just flat-out horrible. “Contract-to-perm” so-called “opportunities” to work on some mindless, meaningless, Machiavellian monetary “loyalty discount” system or another. A new social network project struggling to launch that needs a “rockstar” web developer. I ignore them all, because fuck you and your stupid idea.

All except one: a project my ex-partner Emma was working on, called the Gender Spectrum Lounge. She’d asked me, repeatedly over the course of years, if I had time to work on this project. They already had a developer but, frankly, he was horrible. So in late April, I finally said yes.

I had four main motivations for agreeing to the project. First, I was looking for a new project to work on, something technical and relatively low-key but that still offered a fun time to hack on some code. Second, I’ve been familiar with Gender Spectrum as an organization for years and I always liked their stated goals. Third, I wanted to get a car, because I’m really tired of hitchhiking and relying on the shitty public transit options in America. And fourth, I really missed working with Emma.

“You don’t understand,” Emma would tell me time and time again. “This project is over budget, it’s late, it doesn’t work the way we’ve asked. It seems like every time our developer makes a change, something else breaks. We go months without hearing from him. It’s a nightmare.”

The Gender Spectrum Lounge doesn’t even have complex project goals. It’s supposed to be a community who are supportive of gender variant people, or are genderqueer themselves. Gender Spectrum as an organization works largely on educational outreach and support programs for youth. The Lounge’s whole point was to have an online space where age-based groups could overlap in facilitated ways to allow for various kinds of interaction, such as between younger teens and young adults. I rarely see projects like this explicitly address cross-generational solidarity, and this project hit many of the things that are important to me personally, such as youth advocacy and mentorship.

Beyond all that, and despite its major technical issues, the Gender Spectrum Lounge seemed to be directly benefiting the lives of its participants. Emma shared some posts from the forums with me. A mother wrote about how hard it was to deal with the school district on behalf of her child’s discomfort with binarily-gendered bathrooms. Another mother consoled her, then cheered her on, telling her she was an amazing parent and doing the right thing. A youth described self-image concerns and another youth responded telling them they were beautiful. It was heartwarming. Reading some of the postings literally made my eyes water.

Even if I wasn’t going to get to participate in that directly (and I shouldn’t, it’s not my space), I knew I’d never get close to anything like that in the corrupt world of corporate IT. Burn the banks. Jail the CEOs. They are unmitigated evil, and I’m so fucking over being part of their disgusting globalized deception.

The Gender Spectrum Lounge was different in size, scope, and purpose from the big banks, but it was exactly the same as every other company that has to deal with technology. They hired technicians who don’t care, who half-assedly delivered an incredibly insecure and shitty result, all while overcharging for it. In Gender Spectrum’s case, not even the defaults in the, free, open source forum software they were using as the site’s platform were functioning properly because the developer had fucked it up so bad.

The developer they’d hired took totally free software that worked out-of-the-box, broke it, delivered the broken free thing months late, and charged them for it. And here’s what you gotta understand: that’s not rare. That’s the norm. After I left the Fortune 100 world I went back to doing freelance gigs, and for the next several years, I made money exclusively off “clean-up” jobs. These were gigs where I was hired for the sole and explicit purpose of fixing something a previous technical hire broke or failed to deliver. You might be amazed how well that pays.

That pattern of taking something that works by default, breaking it due to sheer ignorance, malice, or self-serving greed, and then charging for the fuck-up, is how every single for-profit exchange works when you have a builder who knows more about the thing they are selling than the person they are selling to.

It’s Capitalism 101. People seem to intuitively understand this with, for example, cars and mechanics. You know you’re gonna get screwed over if you don’t know the first thing about cars and you go to a mechanic who’s not your friend. This happens in the tech world, too. Only the tech world is a bazillion times worse because the gap in understanding is so much greater. And this pattern doesn’t just exist between individuals, but entire systems. Did you know that sending text messages costs the telcos nothing, but they’re still the most expensive part of many mobile phone contracts?

But I digress, again.

I went to work on the project. I restored some of the basic out-of-the-box functionality the original developer had broke. I built a development environment so that Gender Spectrum could have a place to make and test changes before deploying them to their users. I packaged some of their customizations into plug-ins that they could turn on or off without interrupting the rest of the system. And I did all this as part of necessary, preliminary arrangements (like using a code versioning system) in order to make it easier, faster, and more reliable to make future changes and for other developers to pick up and run with. It’s like Abraham Lincoln once said, “If you give me six hours to chop down a tree, I will spend the first four sharpening my axe.”

For instance, one thing Gender Spectrum needed to customize was the interface text of the software they were using. As you’d expect, every system unnecessarily defaults to binary gender pronouns; it will use “he,” and “she,” but not “zie,” or even the grammatically correct singular “they.” (Why? Because Sexism, but that’s another whole blog—which you should read, since I’ve already written it.)

So, naturally, organizations like Gender Spectrum hire someone to change the system’s use of pronouns because they can’t go around claiming to be gender-inclusive if their website is constantly misgendering their users. And naturally, because they hire developers who almost certainly don’t actually give a fuck about them, they never make the change in a way that’s repeatable, or sharable with any other organization. Rather than using the software’s built-in language customization features, the developer that Gender Spectrum hired changed the default language files, meaning that if Gender Spectrum were to ever update their website’s system software, the changes would have to be made all over again. It’s like getting double taxed.

Many organizations want to be gender-inclusive, but rather than one organization that uses phpBB, and one organization that runs off Drupal, and one organization that uses Joomla, or whatever, writing one gender neutral language pack that every single other organization that uses the same system software can use, each organization hires a shitty developer to make the same change to their one site only. This is fantastic for greedy capitalist scum like most web developers, but it’s horrendous for everyone else. And these developers can get away with it because nobody else knows what they’re doing, and the orgs don’t have access to other people who give a fuck, and they’re all small non-profits supporting marginalized peoples anyway so they just get screwed over, over and over again.

Why? Because Capitalism. Capitalism trains us not to give a fuck about human beings or human lives.

The ironic thing is if a group like Gender Spectrum comes to me and says, “We’d like not to have to deal with this gender neutral pronoun thing repeatedly. Can you write something that will solve this problem and distribute your solution to the Internet for free so we can use it?” I would’ve jumped for joy and probably would have enjoyed doing it with them.

I still would. (So, contact them and ask about the “en_us_x_gnp” language pack I wrote for phpBB3. And if you use phpBB3 and want to use gender neutral pronouns on your boards, let me know and I’ll help you get that set up. No charge.)

On “quotes,” “estimates,” and other bullshit

When I started the project with Gender Spectrum, I was asked for a quote. Here’s the thing: I don’t give quotes. Every quote you ever get from a developer is going to be straight-up bullshit, just some number they pulled out of their ass. Especially when you’re a freelancer, you have to get really good at pulling bullshit out of your ass.

Quotes and estimates are bullshit because nobody knows what’s going to come up out of the code. This is doubly true for “nightmare” projects where the premise of the work is “things are fucked up and we don’t know what’s wrong or how to fix it!” At that point, any reasonable estimates would be so broad as to be meaningless in the first place.

Since I wouldn’t give a quote, or a project estimate, I was asked to track my hours. Here’s the thing: I don’t track my hours, either. I don’t track my hours because I don’t work in hour, or even in minute, chunks. I do multiple things simultaneously. As any person who performs creative tasks like writing or painting or even having sex with a lover or with oneself will tell you, “hours” are a meaningless unit of measurement for such things. Do I charge for the hour where I took a walk and thought about the structure of the project’s codebase? How about the half hour I spent reading the internationalization and localization API of the system’s software?

Tracking hours is a distraction from actually doing the work. Tracking hours is additional hours of (busy)work. Tracking hours is an interruption. Charging “hourly” consistently makes the project longer, makes my work less good, and annoys the fuck out of me.

So when I was asked for a quote, I countered: “One thing I want from this project is a car. Don’t pay me anything other than a car, if you have to think of it as paying me something in the first place. If you agree to help me get a car, that’ll help me fix your website.”

Asking for help getting a car instead of asking for money for working on the website seemed like an obvious win for everybody. It was quite literally the best possible deal. I didn’t even want a fancy car. A hardy Honda Civic or trusty Toyota Camry would be fine for me. A couple thousand dollars, tops, plus help taking care of the bureaucratic red-tape of insurance and registration. The whole thing would’ve cost Gender Spectrum a few thousand dollars, including the stipend for whatever intern was assigned to help me out. In contrast, tracking my hours for the project at $125 per hour (my standard going rate, which is highly competitive with the $120 per hour their previous freelance developer charged them) would’ve easily put them over the $6,000 mark within the first two weeks of my employ.

Emma thought the car thing was a good idea, too. But the idea didn’t go over so well with her boss at Gender Spectrum. Her boss wanted to have a meeting with me, some vagueness about making sure I could “commit” to the project, and in the meantime Emma convinced me to just charge under an hourly rate agreement, which we both knew would net me more than enough money to buy a car. Using that money, I could then hire her to help me do the stressful logistics pieces for figuring out how to actually get this car.

This seemed like a good idea, with one major problem. The whole point of having a car was so that I would have enough stability and time to do the project in the first place. Remember how I’m sleeping under overpasses and on generous people’s couches? That actually takes a lot of time to make possible. Every day, I spend anywhere between 2 and 5 hours setting up different couchsurfing arrangements, orienting myself in physical space with different travel options, learning public transit routes or just fucking walking with my pack on the streets of whatever city I happen to be in. Not to mention the emotional and social energy it takes for an introvert like me to interact with the people who generously host me. After a few weeks of hopping from one person’s couch to another, sometimes all I want to do is curl up in a corner and not talk to anybody ever again. None of these are situations in which I can sit down and focus on writing code.

Having a car would mean a helluva lot more freedom to plop my ass down at a coffeeshop and just hack on some code. Having to work for money to get a car was a Catch-22. However, as circumstances had it, I lucked out and found myself with an opportunity to have a stable housing situation for the month of May, exactly when the Gender Spectrum project was due to spin up. So, I agreed to the hour-tracking fiasco.

I arrived at my stable housing situation. May 1st came and went. I began tracking hours. Within a week, I’d racked up an invoice for Gender Spectrum in the $3,000 range. And that’s when we needed to “have a meeting.” Another week came and went. We didn’t have a meeting because the boss was busy. And what was the meeting about anyway? The answer I got was more vagueness about being sure I could “commit” to the project.

This delay was a problem, because time was a factor, because I didn’t yet have a car. Throughout this delay, I made clear to Emma that I don’t “commit” to stuff. It’s ridiculous and insulting to be asked to “commit” to work if you know that it’s just as much a mirage to commit to work as it is to commit to paying for work. It’s all just a fucking agreement. Asking me to commit to work is no different than me asking you to commit to paying for the work. Haven’t we already worked that out?

So being asked whether or not I’d commit to a project I was already actively working on raised, in me, the following question: are you going to pay me for working on a project you already said you’d hire me to do?

This should be fucking obvious, but since it isn’t to capitalists, which is most people I’ve ever had the displeasure of interacting with, I apparently have to repeat it: agreements don’t mean shit without trust. Nothing, not even your punitive legal system of contract law, can give an agreement value without trust. You can strong-arm people into doing what you want if you have enough power over their environment to get them to servilely accept whatever increasingly shitty circumstances you’re putting them in, but that’s not trust, and it’s not an agreement. There is no such thing as freedom of choice in a “free market” where the only choices are employment or starvation. That’s not a choice, that’s a threat.

I don’t take well to being threatened, and that’s not some kind of moral fucking failing on my part. And being threatened was exactly what was happening. All the vagueness about “committing” to a project was certainly not reassuring, and I’ve been around the block enough to understand when business-speak is a facade on a fundamentally untrustworthy relationship.

Sure enough, that’s exactly what happened in our meeting, which we finally held in mid-May. Long before we spoke, I had communicated to Emma, who had told me she’d communicated to her boss, that I don’t commit indefinitely to future work. We had already drafted a Scope Of Work, another one of those business-y documents, useful for clarifying what work needs to be done but terribly inane when treated like a contract. I had already delivered a few of the line items and I had no intention of asking Gender Spectrum to pay me any monies until the scope of work was completed in full.

So why were we having this meeting? Lisa, the Gender Spectrum executive director, spoke to me about how she didn’t want high developer turnover. Everything she said to me made clear she didn’t know what the fuck she was talking about from a technology perspective. This is no surprise, of course, coming from someone whose other full-time job is the VP of Marketing at Genedata AG, Inc.

Fucking marketing professionals. Do humanity a favor and kill yourselves.

I tried to make it clear that developer turnover is a problem when you have shit developers who do crappy work that they don’t document or tell anyone about. It’s actually not a problem when you take knowledge transfer into account and actually include documentation as part of the scope of work—which we did. I thought the whole point of being hired was to empower them, not to make them dependant on me. I was beginning to deliver something that made developer turnover irrelevant. But if they didn’t trust me to do that, having a meeting about my feelings about commitments was, itself, irrelevant.

The meeting lasted an hour. I tried to reiterate my complete and total unwillingness to commit to any relationship with Gender Spectrum beyond the Scope of Work already laid out. It fell on deaf ears. Over and over again, I’d say something like, “I won’t be able to guarantee any work outside of the Scope of Work,” or “I’m not in a position where I can actually commit to working past the agreements I’ve already confirmed with Emma,” but nothing seemed to get through that thick marketer’s skull of hers.

An hour into the meeting, we were finally starting to wind down. Then I hear Lisa say, again, “Well, it sounds like, maymay, you need to think about it and tell us if you can commit to working with us for longer.”

And I just lost it.

“Lisa, I’m going to need to interject something here. Listen, I’ve been very clear with Emma for weeks and I’ve been very clear in this phone call that I’m not going to commit to an indefinite project with Gender Spectrum. There is nothing more I need to think about here. As I’ve been saying, I know exactly where I stand. We’ve been talking about this in circles for an hour. I have other things I need to do with my day. Unless there’s anything else someone on this call wants to tell me, I’m going to go.”

There was a short silence. “No, I think that’s everything,” I heard Emma say. “Lisa?”

“No, nothing else.” Lisa said.

“Great. Lisa, it was very nice to meet you,” I lied through my teeth. “Have a good day.” I hung up.

A couple days went by with no word from Gender Spectrum. By now, the end of the month I’d set aside specifically to work on tech projects was fast approaching. I was sick and tired of waiting on Gender Spectrum, so I got involved with the re-launch of the “I Am Bradley Manning” photo petition website I’d helped launch two years ago. You might have seen a news cycle about the celebrity Public Service Announcement video we made. You might have surfed on over to iam.BradleyManning.org when you saw it linked on your Facebook or Twitter. Well, now you know, I helped make that.

I didn’t work on it for money. I worked on it because I wanted to.

A couple days after the phone meeting, Emma told me Lisa thought the meeting was “kind of refreshing.” It was too late, though. Every single time Emma pinged me about Gender Spectrum over chat, we’d end up getting into a fight about it, or the project, or the meeting, or how little time I had left in the month to focus on code. I told her I’d gotten involved with the Bradley Manning Support Network’s new social media project. Hey, it was a techie project, and I had specifically set myself up with time to code this month, so I thought I should use that time to code this month. I told her I’d still do Gender Spectrum stuff but that I’d only do it until the end of May, and I’d only give it fifty percent of my attention, tops.

Emma said that was fine. She also said Lisa tentatively agreed to a pared-down Scope of Work, but would hire someone else after the fact, and didn’t want me to continue to work with them afterwards.

There was no longer any reason I should work specifically with the Gender Spectrum people, and therefore there was no reason I should work for them, either. Gender Spectrum showed themselves to be exactly the sort of people I don’t like and can’t communicate with. Any agreement I made with them would’ve been meaningless because I don’t want to work with people like that. The whole fucking point of refusing to sign contracts or make meaningless commitments is to avoid getting tied to some commitment I wasn’t going to keep. Agreeing to such things only constrains me, not them. I charge for work done, not work I will do. And I won’t commit to work I will do. I do work I want to do, and if I get additional benefits like financial compensation out of that, all’s the better for me.

The emotional and personal cost of interacting with this stupid system was high, and the “payoff” was non-existent.

What Lisa actually wanted out of our meeting was some kind of proof that I’m a trustworthy person to work with, but that’s not how trust works. You don’t make friends by passively-aggressively making people promise to be your friend. And yet that’s what employer/employee relationships are all about: coercively making people pretend to be friends, under the threat of starvation due to losing access to money. Bosses like to do this thing where they pretend that they’re not really your boss, just your friend and colleague with a different position in the company than you have.

Fuck that shit. The best bosses I’ve ever had knew they were my boss and didn’t try to sweep the fact of that being a non-consensual power relationship under the rug. I’m privileged enough to be able to lead a lifestyle that means I don’t have to do employer/employee relationships anymore—I hate having relationships where I voluntarily give up my agency for the sole purpose of getting taken advantage of—and I’m smart enough to usually figure out when I’m being asked to have one of those.

Money is a technology that destroys trust. Its entire purpose is to short-circuit human relationships in order to insert itself as a middleman. It makes everybody spend more money, at more emotional cost, for things that make them angry at each other. I love Emma. But every conversation we had turned into a fight. I am not exaggerating when I say that’s capitalism’s fault.

So, after the meeting, I quit. Not immediately, although I should have. And after Emma and I talked about it over chat, we realized that I should have quit the instant Lisa rejected my initial offer for helping me get a car as a way to collaborate on helping fix Gender Spectrum’s website. I have this blind spot because I love Emma where I believe she won’t hurt me. She wants to protect me. But because I’m a human, I’m irrational, and thus I somehow believed getting involved in an abusive relationship with capitalism was going to be fine just because Emma didn’t want to hurt me. In hindsight, it’s obvious that was a stupid mistake, because Emma and I had put ourselves into a situation in which she was effectively forced to try and hurt me, because it’s her job, and if she didn’t do her job, she couldn’t keep paying rent.

Here’s the thing. Capitalism doesn’t just harm people by bludgeoning us with money. It harms us by getting us to bludgeon each other and ourselves with money.

Epilogue

When I did finally communicate to Gender Spectrum that I’d quit, I did so by sending Lisa the following resignation letter:

Lisa,

Effective immediately, I will no longer be working on Gender Spectrum projects.

The work I have completed to date for Gender Spectrum includes fixing various bugs, removing obstacles to maintenance and future updates, and creating a development environment for Gender Spectrum to use in future development tasks. I tracked a total of 26.25 hours on this work. My hourly rate is $125.00 per hour.

You can choose whether or not to compensate me for my work. If you choose to compensate me for all or part of my work, make a cheque in the amount of your choosing payable to Meitar Moscovitz and send it addressed to me at:

> [ADDRESS REDACTED]

Sincerely,
-Meitar Moscovitz
Personal: http://maymay.net
Professional: http://MeitarMoscovitz.com

I know this sounds like an awkward resignation letter, but I actually spent almost a week carefully composing it. I didn’t want it to sound like an invoice, not because I think charging money for one’s time or labor is some unforgivable sin no one should ever do, but because doing that is unhealthy for me. Capitalism isn’t just bad in some objective sense of the word, it’s concretely harmful to the human life I care most about: mine.

Also, while drafting this piece, I got another email from a recruiter. I realized I’ll just keep getting emails from recruiters, and capitalism will still be there, like an abusive ex-partner, constantly trying to seduce me into bed with it again. For my own health and safety, I need some way to actively shield myself from getting job offers.

So, I’m starting a long-overdue revamp to my LinkedIn profile, which is where I assume these devil-spawn come from. Under the heading titled “Advice for contacting [user name]:”, I’ve written:

DO:

  1. Have an interesting project. Make it ambitious. Ambitions are interesting. Everything else is boring.
  2. Treat me like a friend and collaborator (not an employee or a magical creature who can talk to computers).

DON’T:

  1. Offer to pay me. Seriously. If you offer me money, I will decline on principle.
  2. Be a recruiter. First, I don’t answer recruiters. Second, I don’t want the job.
  3. Support capitalism. I am an avowed anti-capitalist. Yes, really. If your project so much as pretends to have a capitalistic agenda, I will tell you to go fuck yourself, and your project.

This is just a quick, off-the-cuff edit, and I eventually want to change the rest of my “tech professional” web presence to match that sentiment. Thing is, I’ll always be excited about working on all kinds of cool projects. But I absolutely hate money, everything to do with it, and everything it stands for.

Written by Meitar

June 14th, 2013 at 2:23 pm

Cross-post: Edenfantasys’s unethical technology is a self-referential black hole

13 comments

This entry was originally published at my other blog. I’m cross-posting it here in order to make sure it gets copied to more servers, as some people have suggested I’ll face a cease and desist order for publishing it in the first place. Please help distribute this important information by freely copying and republishing this post under the conditions of my CC-BY-NC-ND license: provide me with attribution and a (real) back link, and you are free to republish an unaltered version of this post wherever you like. Thanks.

A few nights ago, I received an email from Editor of EdenFantasys’s SexIs Magazine, Judy Cole, asking me to modify this Kink On Tap brief I published that cites Lorna D. Keach’s writing. Judy asked me to “provide attribution and a link back to” SexIs Magazine. An ordinary enough request soon proved extraordinarily unethical when I discovered that EdenFantasys has invested a staggering amount of time and money to develop and implement a technology platform that actively denies others the courtesy of link reciprocity, a courtesy on which the ethical Internet is based.

While what they’re doing may not be illegal, EdenFantasys has proven itself to me to be an unethical and unworthy partner, in business or otherwise. Its actions are blatantly hypocritical, as I intend to show in detail in this post. Taking willful and self-serving advantage of those not technically savvy is a form of inexcusable oppression, and none of us should tolerate it from companies who purport to be well-intentioned resources for a community of sex-positive individuals.

For busy or non-technical readers, see the next section, Executive Summary, to quickly understand what EdenFantasys is doing, why it’s unethical, and how it affects you whether you’re a customer, a contributor, or a syndication partner. For the technical reader, the Technical Details section should provide ample evidence in the form of a walkthrough and sample code describing the unethical Search Engine Optimization (SEO) and Search Engine Marketing (SEM) techniques EdenFantasys, aka. Web Merchants, Inc., is engaged in. For anyone who wants to read further, I provide an Editorial section in which I share some thoughts about what you can do to help combat these practices and bring transparency and trust—not the sabotage of trust EdenFantasys enacts—to the market.

EXECUTIVE SUMMARY

Internet sex toy retailer Web Merchants, Inc., which bills itself as the “sex shop you can trust” and does business under the name EdenFantasys, has implemented technology on their websites that actively interferes with contributors’ content, intercepts outgoing links, and alters republished content so that links in the original work are redirected to themselves. Using techniques widely acknowledged as unethical by Internet professionals and that are arguably in violation of major search engines’ policies, EdenFantasys’s publishing platform has effectively outsourced the task of “link farming” (a questionable Search Engine Marketing [SEM] technique) to sites with which they have “an ongoing relationship,” such as AlterNet.org, other large news hubs, and individual bloggers’ blogs.

Articles published on EdenFantasys websites, such as the “community” website SexIs Magazine, contain HTML crafted to look like links, but aren’t. When visited by a typical human user, a program written in JavaScript and included as part of the web pages is automatically downloaded and intercepts clicks on these “link-like” elements, fetching their intended destination from the server and redirecting users there. Due to the careful and deliberate implementation, the browser’s status bar is made to appear as though the link is legitimate, and that a destination is provided as expected.

For non-human visitors, including automated search engine indexing programs such as Googlebot, the “link” remains non-functional, making the article a search engine’s dead-end or “orphan” page whose only functional links are those whose destination is EdenFantasys’s own web presence. This makes EdenFantasys’ website(s) a self-referential black hole that provides no reciprocity for contributors who author content, nor for any website ostensibly “linked” to from article content. At the same time, EdenFantasys editors actively solicit inbound links from individuals and organizations through “link exchanges” and incentive programs such as “awards” and “free” sex toys, as well as syndicating SexIs Magazine content such that the content is programmatically altered in order to create multiple (real) inbound links to EdenFantasys’s websites after republication on their partner’s media channels.

How EdenFantasys’s unethical practices have an impact on you

Regardless of who you are, EdenFantasys’s unethical practices have a negative impact on you and, indeed, on the Internet as a whole.

See for yourself: First, log out of any and all EdenFantasys websites or, preferably, use a different browser, or even a proxy service such as the Tor network for greater anonymity. Due to EdenFantasys’s technology, you cannot trust that what you are seeing on your screen is what someone else will see on theirs. Next, temporarily disable JavaScript (read instructions for your browser) and then try clicking on the links in SexIs Magazine articles. If clicking the intended off-site “links” doesn’t work, you know that your article’s links are being hidden from Google and that your content is being used for shady practices. In contrast, with JavaScript still disabled, navigate to another website (such as this blog), try clicking on the links, and note that the links still work as intended.

Here’s another verifiable example from the EdenFantasys site showing that many other parts of Web Merchants, Inc. pages, not merely SexIs Magazine, are affected as well: With JavaScript disabled, visit the EdenFantasys company page on Aslan Leather (note, for the sake of comparison, the link in this sentence will work, even with JavaScript off). Try clicking on the link in the “Contact Information” section in the lower-right hand column of the page (shown in the screenshot, below). This “link” should take you to the Aslan Leather homepage but in fact it does not. So much for that “link exchange.”

(Click to enlarge.)

  • If you’re an EdenFantasys employee, people will demand answers from you regarding the unethical practices of your (hopefully former) employer. While you are working for EdenFantasys, you’re seriously soiling your reputation in the eyes of ethical Internet professionals. Ignorance is no excuse for the lack of ethics on the programmers’ part, and it’s a shoddy one for everyone else; you should be aware of your company’s business practices because you represent them and they, in turn, represent you.
  • If you’re a partner or contributor (reviewer, affiliate, blogger), while you’re providing EdenFantasys with inbound links or writing articles for them and thereby propping them up higher in search results, EdenFantasys is not returning the favor to you (when they are supposed to be doing so). Moreover, they’re attaching your handle, pseudonym, or real name directly to all of their link farming (i.e., spamming) efforts. They look like they’re linking to you and they look like their content is syndicated fairly, but they’re actually playing dirty. They’re going the extra mile to ensure search engines like Google do not recognize the links in articles you write. They’re trying remarkably hard to make certain that all roads lead to EdenFantasys, but none lead outside of it; no matter what the “link,” search engines see it as stemming from and leading to EdenFantasys. The technically savvy executives of Web Merchants, Inc. are using you without giving you a fair return on your efforts. Moreover, EdenFantasys is doing this in a way that preys upon people’s lack of technical knowledge—potentially your own as well as your readership’s. Do you want to keep doing business with people like that?
  • If you’re a customer, you’re monetarily supporting a company that essentially amounts to a glorified yet subtle spammer. If you hate spam, you should hate the unethical practices that lead to spam’s perpetual reappearance, including the practices of companies like Web Merchants, Inc. EdenFantasys’s unethical practices may not be illegal, but they are unabashedly a hair’s width away from it, just like many spammers’. If you want to keep companies honest and transparent, if you really want a “sex shop you can trust,” this is relevant to you because EdenFantasys is not it. If you want to purchase from a retailer that truly strives to offer a welcoming, trustworthy community for those interested in sex positivity and sexuality, pay close attention and take action. For ideas about what you can do, please see the “What you can do” section, below.
  • If you’ve never heard about EdenFantasys before, but you care about a fair and equal-opportunity Internet, this is relevant to you because what EdenFantasys is doing takes advantage of non-tech-savvy people in order to slant the odds of winning the search engine game in their favor. They could have done this fairly, and I personally believe that they would have succeeded. Their sites are user-friendly, well-designed, and solidly implemented. However, they chose to behave maliciously by not providing credit where credit is due, failing to follow through on agreements with their own community members and contributors, and sneakily utilizing other publishers’ web presences to play a very sad zero-sum game that they need not have entered in the first place. In the Internet I want, nobody takes malicious advantage of those less skilled than they are because their own skill should speak for itself. Isn’t that the Internet and, indeed, the future you want, too?

TECHNICAL DETAILS

What follows is a technical exploration of the way the EdenFantasys technology works. It is my best-effort evaluation of the process in as much detail as I can manage within strict self-imposed time constraints. If any of this information is incorrect, I’d welcome any and all clarifications provided by the EdenFantasys CTO and technical team in an appropriately transparent, public, and ethical manner. (You’re welcome—nay, encouraged—to leave a comment.)

Although I’m unconvinced that EdenFantasys understands this, it is the case that honesty is the best policy—especially on the Internet, where everyone has the power of “View source.”

The “EF Framework” for obfuscating links

Article content written by contributors on SexIs Magazine pages is published after all links are replaced with a <span> element bearing the class of linklike and a unique id attribute value. This apparently happens across any and all content published by Web Merchants, Inc.’s content management system, but I’ll be focusing on Lorna D. Keach’s post entitled SexFeed:Anti-Porn Activists Now Targeting Female Porn Addicts for the sake of example.

These fake links look like this in HTML:

And according to Theresa Flynt, vice president of marketing for Hustler video, <span class="linklike" ID="EFLink_68034_fe64d2">female consumers make up 56% of video sales.</span>

This originally published HTML is what visitors without JavaScript enabled (and what search engine indexers) see when they access the page. Note that the <span> is not a real link, even though it is made to look like one. (See Figure 1; click it to enlarge.)

Figure 1:

In a typical user’s browser, when this page is loaded, a JavaScript program is executed that mutates these “linklike” elements into <a> elements, retaining the “linklike” class and the unique id attribute values. However, no value is provided in the href (link destination) attribute of the <a> element. See Figure 2.

Figure 2:

The JavaScript program is downloaded in two parts from the endpoint at http://cdn3.edenfantasys.com/Scripts/Handler/jsget.ashx. The first part, retrieved in this example by accessing the URI at http://cdn3.edenfantasys.com/Scripts/Handler/jsget.ashx?i=jq132_cnf_jdm12_cks_cm_ujsn_udm_stt_err_jsdm_stul_ael_lls_ganl_jqac_jtv_smg_assf_agrsh&v_14927484.12.0, loads the popular jQuery JavaScript framework as well as custom code called the “EF Framework”.

The EF Framework contains code called the DBLinkHandler, an object that parses the <span> “linklike” elements (called “pseudolinks” in the EF Framework code) and retrieves the real destination. The entirety of the DBLinkHandler object is shown in code listing 1, below. Note the code contains a function called handle that performs the mutation of the <span> “linklike” elements (seen primarily on lines 8 through 16) and, based on the prefix of each elements’ id attribute value, two key functions (BuildUrlForElement and GetUrlByUrlID, whose signatures are on lines 48 and 68, respectively) interact to set up the browser navigation after responding to clicks on the fake links.

var DBLinkHandler = {
    pseudoLinkPrefix: "EFLink_",
    generatedAHrefPrefix: "ArtLink_",
    targetBlankClass: "target_blank",
    jsLinksCssLinkLikeClass: "linklike",
    handle: function () {
        var pseudolinksSpans = $("span[id^='" + DBLinkHandler.pseudoLinkPrefix + "']");
        pseudolinksSpans.each(function () {
            var psLink = $(this);
            var cssClass = $.trim(psLink.attr("class"));
            var target = "";
            var id = psLink.attr("id").replace(DBLinkHandler.pseudoLinkPrefix, DBLinkHandler.generatedAHrefPrefix);
            var href = $("<a></a>").attr({
                id: id,
                href: ""
            }).html(psLink.html());
            if (psLink.hasClass(DBLinkHandler.targetBlankClass)) {
                href.attr({
                    target: "_blank"
                });
                cssClass = $.trim(cssClass.replace(DBLinkHandler.targetBlankClass, ""))
            }
            if (cssClass != "") {
                href.attr({
                    "class": cssClass
                })
            }
            psLink.before(href).remove()
        });
        var pseudolinksAHrefs = $("a[id^='" + DBLinkHandler.generatedAHrefPrefix + "']");
        pseudolinksAHrefs.live("mouseup", function (event) {
            DBLinkHandler.ArtLinkClick(this)
        });
        pseudolinksSpans = $("span[id^='" + DBLinkHandler.pseudoLinkPrefix + "']");
        pseudolinksSpans.live("click", function (event) {
            if (event.button != 0) {
                return
            }
            var psLink = $(this);
            var url = DBLinkHandler.BuildUrlForElement(psLink, DBLinkHandler.pseudoLinkPrefix);
            if (!psLink.hasClass(DBLinkHandler.targetBlankClass)) {
                RedirectTo(url)
            } else {
                OpenNewWindow(url)
            }
        })
    },
    BuildUrlForElement: function (psLink, prefix) {
        var psLink = $(psLink);
        var sufix = psLink.attr("id").toString().substring(prefix.length);
        var id = (sufix.indexOf("_") != -1) ? sufix.substring(0, sufix.indexOf("_")) : sufix;
        var url = DBLinkHandler.GetUrlByUrlID(id);
        if (url == "") {
            url = EF.Constants.Links.Url
        }
        var end = sufix.substring(sufix.indexOf("_") + 1);
        var anchor = "";
        if (end.indexOf("_") != -1) {
            anchor = "#" + end.substring(0, end.lastIndexOf("_"))
        }
        url += anchor;
        return url
    },
    ArtLinkClick: function (psLink) {
        var url = DBLinkHandler.BuildUrlForElement(psLink, DBLinkHandler.generatedAHrefPrefix);
        $(psLink).attr("href", url)
    },
    GetUrlByUrlID: function (UrlID) {
        var url = "";
        UrlRequest = $.ajax({
            type: "POST",
            url: "/LinkLanguage/AjaxLinkHandling.aspx",
            dataType: "json",
            async: false,
            data: {
                urlid: UrlID
            },
            cache: false,
            success: function (data) {
                if (data.status == "Success") {
                    url = data.url;
                    return url
                }
            },
            error: function (xhtmlObj, status, error) {}
        });
        return url
    }
};

Once the mutation is performed and all the content “links” are in the state shown in Figure 2, above, an event listener has been bound to the anchors that captures a click event. This is done using prototypal extension, aka. classic prototypal inheritance, in another part of the code, the live function on line 2,280 of the (de-minimized) jsget.ashx program, as shown in code listing 2, here:

        live: function (G, F) {
            var E = o.event.proxy(F);
            E.guid += this.selector + G;
            o(document).bind(i(G, this.selector), this.selector, E);
            return this
        },

At this point, clicking on one of the “pseudolinks” triggers the EF Framework to call code set up by the GetUrlByUrlID function from within the DBLinkHandler object, initiating an XMLHttpRequest (XHR) connection to the AjaxLinkHandling.aspx server-side application. The request is an HTTP POST containing only one parameter, called urlid, and its value matches a substring from within the id value of the “pseudolinks.” In this example, the id attribute contains a value of EFLink_68034_fe64d2, which means that the unique ID POST’ed to the server is 68034. This is shown in Figure 3, below.

Figure 3:

The response from the server, shown in Figure 4, is also simple. If successful, the intended destination is retrieved by the GetUrlByUrlID object’s success function (on line 79 of Code Listing 1, above) and the user is redirected to that web address, as if the link was a real one all along. The real destination, in this case to CNN.com, is thereby only revealed after the XHR request returns a successful reply.

Figure 4:

All of this obfuscation effectively blinds machines such as the Googlebot who are not JavaScript-capable from seeing and following these links. It deliberately provides no increased Pagerank for the link destination (as a real link would normally do) despite being “linked to” from EdenFantasys’s SexIs Magazine article. While the intended destination in this example link was at CNN.com, it could just as easily have been—and is, in other examples—links to the blogs of EdenFantasys community members and, indeed, everyone else linked to from a SexIs Magazine article or potentially any website operated by Web Merchants, Inc. that makes use of this technology.

The EdenFantasys Outsourced Link-Farm

In addition to creating a self-referential black hole with no gracefully degrading outgoing links, EdenFantasys also actively performs link-stuffing through its syndicated content “relationships,” underhandedly creating an outsourced and distributed link-farm, just like a spammer. The difference is that this spammer (Web Merchants, Inc. aka EdenFantasys) is cleverly crowd-sourcing high-value, high-quality content from its own “community.”

Articles published at SexIs Magazine are syndicated in full to other large hub sites, such as AlterNet.org. Continuing with the above example post by Lorna D. Keach, Anti-Porn Activists Now Targeting Female Porn Addicts, we can see that this content was republished on AlterNet.org shortly after original publication through EdenFantasys’ website on May 3rd at http://www.alternet.org/story/146774/christian_anti-porn_activists_now_targeting_female_. However, a closer look at the HTML code of the republication shows that each and every link contained within the article points to the same destination: the same article published on SexIs Magazine, as shown in Figure 5.

Figure 5:

Naturally, these syndicated links provided to third-party sites by EdenFantasys are real and function as expected to both human visitors and to search engines indexing the content. The result is “natural,” high-value links to the EdenFantasys website from these third-party sites; EdenFantasys doesn’t merely scrounge pagerank from harvesting the sheer number of incoming links, but as each link’s anchor text is different, they are setting themselves up to match more keywords in search engine results, keywords that the original author likely did not intend to direct to them. Offering search engines the implication that EdenFantasys.com contains the content described in the anchor text, when in fact EdenFantasys merely acts as an intermediary to the information, is very shady, to say the least.

In addition to syndication, EdenFantasys employs human editors to do community outreach. These editors follow up with publishers, including individual bloggers (such as myself), and request that any references to published material provide attribution and a link back to us, to use the words of Judy Cole, Editor of SexIs Magazine in an email she sent to me (see below), and presumably many others. EdenFantasys has also been known to request “link exchanges,” and offer incentive programs that encouraged bloggers to add the EdenFantasys website to their blogroll or sidebar in order to help raise both parties search engine ranking, when in fact EdenFantasys is not actually providing reciprocity.

More information about EdenFantasys’s unethical practices, which are not limited to technical subterfuge, can be obtained via AAGBlog.com.

EDITORIAL

It is unsurprising that the distributed, subtle, and carefully crafted way EdenFantasys has managed to crowd-source links has (presumably) remained unpenalized by search engines like Google. It is similarly unsurprising that nontechnical users such as the contributors to SexIs Magazine would be unaware of these deceptive practices, or that they are complicit in promoting them.

This is no mistake on the part of EdenFantasys, nor is it a one-off occurrence. The amount of work necessary to implement the elaborate system I’ve described is also not even remotely feasible for a rogue programmer to accomplish, far less accomplish covertly. No, this is the result of a calculated and decidedly underhanded strategy that originated from the direction of top executives at Web Merchants, Inc. aka EdenFantasys.

It is unfortunate that technically privileged people would be so willing to take advantage of the technically uneducated, particularly under the guise of providing a trusted place for the community which they claim to serve. These practices are exactly the ones that “the sex shop you can trust” should in no way support, far less be actively engaged in. And yet, here is unmistakable evidence that EdenFantasys is doing literally everything it can not only to bolster its own web presence at the cost of others’, but to hide this fact from its understandably non-tech-savvy contributors.

On a personal note, I am angered that I would be contacted by the Editor of SexIs Magazine, and asked to properly “attribute” and provide a link to them when it is precisely that reciprocity which SexIs Magazine would clearly deny me (and everyone else) in return. It was this request originally received over email from Judy Cole, that sparked my investigation outlined above and enabled me to uncover this hypocrisy. The email I received from Judy Cole is republished, in full, here:

From: Judy Cole <luxuryholmes@gmail.com>
Subject: Repost mis-attributed
Date: May 17, 2010 2:42:00 PM PDT
To: kinkontap+viewermail@gmail.com
Cc: Laurel <laurelb@edenfantasys.com>

Hello Emma and maymay,

I am the Editor of the online adult magazine SexIs (http://www.edenfantasys.com/sexis/). You recently picked up and re-posted a story of ours by Lorna Keach that Alternet had already picked up:

http://kinkontap.com/?s=alternet

We were hoping that you might provide attribution and a link back to us, citing us as the original source (as is done on Alternet, with whom we have an ongoing relationship), should you pick up something of ours to re-post in the future.

If you would be interested in having us send you updates on stories that might be of interest, I would be happy to arrange for a member of our editorial staff to do so. (Like your site, by the way. TBK is one of our regular contributors.)

Thanks and Best Regards,

Judy Cole
Editor, SexIs

Judy’s email probably intended to reference the new Kink On Tap briefs that my co-host Emma and I publish, not a search result page on the Kink On Tap website. Specifically, she was talking about this brief: http://KinkOnTap.com/?p=676. I said as much in my reply to Judy:

Hi Judy,

The URL in your email doesn’t actually link to a post. We pick up many stories from AlterNet, as well as a number from SexIs, because we follow both those sources, among others. So, did you mean this following entry?

http://KinkOnTap.com/?p=676

If so, you should know that we write briefs as we find them and provide links to where we found them. We purposefully do not republish or re-post significant portions of stories and we limit our briefs to short summaries in deference to the source. In regards to the brief in question, we do provide attribution to Lorna Keach, and our publication process provides links automatically to, again, the source where we found the article. :) As I’m sure you understand, this is the nature of the Internet. Its distribution capability is remarkable, isn’t it?

Also, while we’d absolutely be thrilled to have you send us updates on stories that might be of interest, we would prefer that you do so in the same way the rest of our community does: by contributing to the community links feed. You can find detailed instructions for the many ways you can do that on our wiki:

http://wiki.kinkontap.com/wiki/Community_links_feed

Congratulations on the continued success of SexIs.

Cheers,
-maymay

At the time when I wrote the email replying to Judy, I was perturbed but could not put my finger on why. Her email upset me because she seemed to be suggesting that our briefs are wholesale “re-posts,” when in fact Emma and I have thoroughly discussed attribution policies and, as mentioned in my reply, settled on a number of practices including a length limit, automated back linking (yes, with real links, go see some Kink On Tap briefs for yourself), and clearly demarcating quotes from the source article in our editorializing to ensure we play fair. Clearly, my somewhat snarky reply betrays my annoyance.

In any event, this exchange prompted me to take a closer look at the Kink On Tap brief I wrote, at the original article, and at the cross-post on AlterNet.org. I never would have imagined that EdenFantasys’s technical subterfuge would be as pervasive as it has proven to be. It’s so deeply embedded in the EdenFantasys publishing platform that I’m willing to give Judy the benefit of the doubt regarding this hypocrisy because she doesn’t seem to understand the difference between a search query and a permalink (something any laymen blogger would grok). This is apparent from her reply to my response:

From: Judy Cole <luxuryholmes@gmail.com>
Subject: Re: Repost mis-attributed
Date: May 18, 2010 4:57:59 AM PDT
[…redundant email headers clipped…]

Funny, the URL in my email opens the same link as the one you sent me when I click on it.

Maybe if you pick up one of our stories in future, you could just say something like “so and so wrote for SexIs.” ?

As it stands, it looks as if Lorna wrote the piece for Alternet. Thanks.

Judy

That is the end of our email exchange, and will be for good, unless and until EdenFantasys changes its ways. I will from this point forward endeavor never to publish links to any web property that I know to be owned by Web Merchants, Inc., including EdenFantasys.com. I will also do my best to avoid citing any and all SexIs Magazine articles from here on out, and I encourage everyone who has an interest in seeing honesty on the Internet to follow my lead here.

As some of my friends are currently contributors to SexIs Magazine, I would like all of you to know that I sincerely hope you immediately sever all ties with any and all Web Merchants, Inc. properties, suppliers, and business partners, especially because you are friends and I think your work is too important to be sullied by such a disreputable company. Similarly, I hope you encourage your friends to do the same. I understand that the economy is rough and that some of you may have business contracts bearing legal penalties for breaking them, but I urge you to nevertheless consider looking at this as a cost-benefit analysis: the sooner you break up with EdenFantasys, the happier everyone on the Internet, including you, will be (and besides, you can loose just as much of your reputation, money, and pagerank while being happy as you can being sad).

What you can do

  • If you are an EdenFantasys reviewer, a SexIs Magazine contributor, or have any other arrangement with Web Merchants, Inc., write to Judy Cole and demand that content you produce for SexIs Magazine adheres to ethical Internet publication standards. Sever business ties with this company immediately upon receipt of any non-response, or any response that does not adequately address every concern raised in this blog post. (Feel free to leave comments on this post with technical questions, and I’ll do my best to help you sort out any l33t answers.)
  • EdenFantasys wants to stack the deck in Google. They do this by misusing your content and harvesting your links. To combat this effort, immediately remove any and all links to EdenFantasys websites and web presences from your websites. Furthermore, do not—I repeat—do not publish new links to EdenFantasys websites, not even in direct reference to this post. Instead, provide enough information, as I have done, so visitors to your blog posts can find their website themselves. In lieu of links to EdenFantasys, link to other bloggers’ posts about this issue. (Such posts will probably be mentioned in the comments section of this post.)
  • Boycott EdenFantasys: the technical prowess their website displays does provide a useful shopping experience for some people. However, that in no way obligates you to purchase from their website. If you enjoy using their interface, use it to get information about products you’re interested in, but then go buy those products elsewhere, perhaps from the manufacturers directly.
  • Watch for “improved” technical subterfuge from Web Merchants, Inc. As a professional web developer, I can identify several things EdenFantasys could do to make their unethical practices even harder to spot, and harder to stop. If you have any technical knowledge at all, even if you’re “just” a savvy blogger, you can keep a close watch on EdenFantasys and, if you notice anything that doesn’t sit well with you, speak up about it like I did. Get a professional programmer to look into things for you if you need help; yes, you can make a difference just by remaining vigilant as long as you share what you know and act honestly, and transparently.

If you have additional ideas or recommendations regarding how more people can help keep sex toy retailers honest, please suggest them in the comments.

Update: To report website spamming or any kind of fraud to Google, use the authenticated Spam Report tool.

Update: Google provides much more information about why the kinds of practices EdenFantasys is engaged in degrade the overall web experience for you and me. Read Cloaking, sneaky Javascript redirects, and doorway pages at the Google Webmaster Tools help site for additional SEO information. Using Google’s terminology, EdenFantasys’s unethical technology is a very skilled mix of social engineering and “sneaky JavaScript redirects.”

Crosspost: My impressions on the new “sex-positive social network” Blackbox Republic

leave a comment

This post was originally published on my other blog, a much more Not Safe For Work site, at maybemaimed.com. However, it turns out that blog is censored in various countries, such as Dubai. Gotta love Internet censorship. Sigh. Anyways, since I think the material there is interesting and technology-relevant, and in order to help people avoid Internet censorship, I’m cross-posting the contents here. Enjoy.


Social media. Internet publishing. Privacy. Three phrases that have seemed to be at tenacious odds with each other in a multitude of subtle and not-so-subtle ways. For people like me, who have progressive views about sexuality, these three things are constantly on our minds. How do we participate in the online revolution without being forced to “come out” about every sex act we enjoy, some of which are still illegal thanks to draconian restrictions on sexual freedom, even (and especially?) in America.

This month, a new social network called Blackbox Republic (BBR) is attempting to tackle this head-on and aims to create a place for, as Marshall Kirkpatrick put it, this particular large and unserved group of people. Although BBR is clearly a business, it’s a business whose creators have laudable intentions for positive social and cultural change. In that respect, and in many others, Blackbox Republic is worth a close look.

I was informed about the venture via Clarisse Thorn many months ago. I got in touch with BBR and signed up for a limited-offer “founder” account—basically a private beta. The founder account gave me free access to the features of the BlackboxRepublic.com website for what would normally be a $25 monthly subscription fee.

So, without further ado, here are my impressions about Blackbox Republic, and how its launch may be just what the Internet needs to get us moving in the right direction with regards to personal privacy, and mainstream awareness of the different needs of different people on the Internet.

Mainstream sex-positivity or a VIP room in cyberspace? Or both?

Over the past few months, Blackbox Republic has been building a marketing arsenal of anticipation and intrigue. Its creators are successful in non-sexuality-focused spheres of influence: Sam Lawrence is the respected former Chief Marketing Officer of Jive Software, Inc., and April Donato, has experience in community management. They also both jive (pun!) well with the sex-positive movement, discussing it at length in the early stages of their marketing efforts after de-cloaking the new company.

In an interview for Social Networking Watch, Sam Lawrence said,

[Sam Lawrence:] The co-founder [April Donato] and myself are part of [the sex-positive] community. Sex positive means that your sexuality is not an issue. You don’t have an issue with other people’s sexuality. You’re open to what other people are interested in and what their boundaries are, and you’re open with your own.

[…]

[Interviewer:] To what extent do you practice a sex-positive lifestyle?

[Sam Lawrence:] From the perspective of sex not being an issue, I think that love is generated by people being open enough about who they are as people to put all of themselves out on the table. As far as putting all of myself on the table, it’s something that I do every single day.

I have an enormous amount of respect for anyone able to so capably present themselves as authentically as Sam does. On the eve of KinkForAll New York City 2, I met Sam and April at one of their “founder meetups” and had the chance to talk to them face-to-face. Our conversation revolved around the importance of steadfastly holding true to one’s own desires and having appropriate places to express those things with appropriate communication tools. I really liked their emphasis on self-identification over labeling throughout our discussion.

I also really appreciated the way that Sam and April spoke about their target audience. Blackbox Republic will welcome everyone, but it’s not designed for everyone, and I think that’s a good thing. David Evans writing at Online Dating Post says,

BBR has room for everyone, but is not for everyone. Definitely catering to non-mainstream folks, it will soon feature a constellation of micro-communities, or groups, called Camps. BBR doesn’t tell people how to organize their camps; we’ll do it ourselves, thankyouverymuch.

So is Blackbox Republic a dating site, or a social network? Well, both, kind of. Part of BBR’s slogan includes, “Dates will happen. Sex will happen. It matters how you get there.” The implication, of course, being that the current suite of tools for finding love or play online—sites like Alt.com, OkCupid, and countless personals boards—focus too strongly on the end result, turning matchmaking into a meat market instead of the natural process of getting to know one another. The focus BBR is placing on each person’s “journey” is an extremely welcome paradigm shift in the online dating world.

Along with the welcome and (IMHO, painfully obviously better) new approach to online dating, however, Blackbox Republic faces some real challenges. For new users, the service costs a minimum of $5 a month to use (and $9 per month for new sign-ups starting in 2010), which gives access to basic features like a personal profile. For $25 a month, members get added features like the ability to list real-world meet-ups, send private messages, and partake in a virtual “gifting” economy (think LiveJournal’s “virtual gifts“).

For that reason, BBR has been called a “members-only club.” There are some legitimate differences of opinion as to whether this is a positive or a negative thing. In a press release over the summer, Blackbox Republic is reported as stating:

Blackbox Republic will be a members-only experience that will unite the sex-positive community and give them a personal, private and secure way to connect online and in person.

Writing for ZDNet, Oliver Marks likens Blackbox Republic’s approach to online dating to the fashionability of owning an Apple computer:

Think of Blackbox Republic as a fashionable online ‘members-only’ club where you might expect to meet people with similar interests to your own, and ideally the person of your dreams. […] Blackbox Republic is arguably an Apple product to Facebook’s Windows look & feel: a much more intimately crafted, fuller featured personal user interface which should appeal to Apple generation sensibilities.

Many pages on Blackbox Republic's website showcase fashionably dressed women.

Many pages on Blackbox Republic's website showcase fashionably dressed women.

Indeed, almost everything about Blackbox Republic’s marketing and design seems to me as though it’s positioning itself as the equivalent of the hip, new, and exclusive nightclub down the street. There are images of super-chic women in short skirts and tight pants all over the Blackbox Republic promotional pages—way more than there are pictures of men. I was (yet again) put-off by this over-prevalence of women in all advertising material.

This isn’t really a criticism of the site, but rather a statement of disappointment that the marketing gurus behind the effort seemed to me to have succumbed to overwhelming cultural pressure to sell their site with old-school sex appeal: women’s sex appeal, of course. How…traditional.

Not only is the Blackbox Republic intro video markedly gender-skewed, but somewhere along the line Sam and April decided to drop the “sex-positive” phraseology from their marketing:

[L]ike most startups, Blackbox decided it needed to change up. Observers were confused by the sex-positive label.

Oh well. I think this just goes to further showcase how much more social change we really need in our culture.

However, while the clubby, cliquey feel is totally my own subjective perception, there are other issues at play here, too. Most notably, as Clarisse Thorn and many others rightfully remind us very often, the sex-positive movement is overwhelmingly white, middle- to upper-class, college-educated, and privileged in a huge number of ways that many people often take for granted. Even without a for-pay social network, not everyone who wants to can participate in the great-sex-for-everyone party atmosphere of many sex-positive niches.

Will creating a “members-only club” of sex-positivity on the Internet really be a positive thing for “the movement”? Well, maybe. Although it has the potential to exclude lower-income people from the experience, who are sadly also often the people with the most pressing need for the kinds of privacy-related tools BBR offers (school teachers spring to mind!), one upside is that Blacbox Republic promises to pledge a portion of membership dues to a charity of the user’s choice.

It’s $25 a month and $5 of those community dues go to charity. One way to think about it is if you’re sex-positive, you can either spend money on expensive coffee every month or upgrade your social life and meet other sex-positive people like you.

Inescapably, the major selling point of any social network is, of course, the network! If your friends aren’t on Twitter, then you’re probably not going to find it useful. The same truth holds for Blackbox Republic: if the users you want to interact with aren’t there, I doubt you’re going to find the experience fruitful. Due to the membership fees and the socioeconomic realities of the sex-positive community, I’m concerned that BBR’s current business model is too exclusive, and as a result it will have a lot of trouble attracting the kind of diverse community its creators seem to be hoping for.

Yet, some others think differently (pun!). For instance, Dennis Howlett welcomes the for-pay model for a social network:

anyone can join provided they’re willing to pay the $25 a month (I like that he has a pay model from the get go. That sorts out the weirdos and hangers on from day one)

I wonder if adopting a free-mium approach might work better. Still, there are real-world limits to business. Everyone needs to make money, and I don’t think Blackbox Republic’s business model is inherently more exclusive than, say, purchasing access to porn. If anything, BBR’s got some real promise to inject much-needed financial awareness to the sexually insensitive corporate infrastructure of our society. Nevertheless, convincing people to join “the Republic” is going to be a hard sell.

Show me the features!

Let’s say you do decide to join. What do you get? Other than the sex-positive mindset, what’s the benefit?

Well, the bulk of the experience is what you’d expect. Profiles (called “personas”), messaging, user search capabilities (called “explore”), and so forth. A Twitter-like “activity stream” dominates the main page where you can post text, picture, or video status updates. Event listings fill the sidebar. (I’m not going to provide internal screenshots in deference to BBR’s strict confidentiality rules.)

While that’s fun, it’s nothing special. What makes Blackbox Republic different is flexibility, and privacy.

Goodbye drop-downs, hello sliders!

An innovative new interface acknowledges (most of) the diversity in human sexual experience and desire.

An innovative new interface acknowledges (most of) the diversity in human sexual experience and desire.

Blackbox Republic’s most visible feature is the way its interface allows you to flexibly self-identify various facets of yourself. Rather than give you static drop-down menus or radio buttons for things like your sexual orientation and relationship status, you’re presented with sliders you can change at will. Perhaps you’re feeling particularly same-sex attracted one day. Just move the “Orientation” slider towards the “Gay” end and away from the “Hetero” end. If that changes tomorrow, just move the slider back. Sho-weet!

BBR offers you 5 different sliders for your profile. In addition to the one for sexual orientation, you also get one for relationship “status” (ranging from attached to unattached, with Facebook’s famous “it’s complicated” neatly in the middle), whether you’re available for more partners or not, how comfortable you are with casual sexual activity, and how eagerly you’re looking to par-tay. I’m instantly reminded of FetLife‘s innovative, if dull-looking, mechanism for specifying multiple relationships. Blackbox Republic gives you similar flexibility as FetLife does but presented in a superb and far more intuitive interface.

All that said, one slider is conspicuously missing: the one for gender. The sliders are a very interesting idea and might just be the most innovative feature of the entire site. It speaks volumes about the sensitive and thoughtful mindset of the developers, and that’s why I’m so disappointed that the interface for self-identifying gender is relegated to the Sex 1.0 days of a single, binary option of “male” or “female.”

What gives? Are polyamorous people more welcome here than those who don’t fit the gender binary? I hope this is simply an omission that will be fixed as the service matures, since I couldn’t find any other reason why gender was absent from the sliders. For extra credit, I hope to see different profile options for “Sex” and “Gender,” two distinct concepts that frequently and incorrectly get used interchangeably. This would make it possible to represent complex gender presentations like additive gender on a social networking interface for the first time ever, and that’d totally be something to write home about!

Privacy and security

The other major selling point of Blackbox Republic is its careful attention to privacy. The entire offering, including its name, is predicated on letting users very carefully segment their information based on their privacy boundaries. I love some of the things BBR has done to enable this, and I can only imagine it’s going to get better from here.

Blackbox Republic’s Web of Trust

There are three levels of privacy, which (as far as I can figure out) map directly to the level of trust other members have gained within the Republic’s community. It works like a web of trust. New users are “un-vouched.” As they begin to interact with others on the site and, hopefully, make some friends, they should receive “vouches”—or votes of trust—from previously-vouched members. As a member, you get to control whether something you do, such as posting a status update, gets sent to the “public,” (i.e., the entire public-facing Internet), to all Blackbox Republic members (i.e, to both vouched and un-vouched members) or only to vouched members.

Additionally, privacy settings allow you to specify whether you want to allow un-vouched members to send you private messages, to follow your updates, to comment on your posts, or to see you in search results.

Unlike Facebook, which has very good privacy controls that almost nobody on Earth is aware of (thus negating the control’s usefulness), Blackbox Republic makes it a point to highlight their privacy controls at just about every sensical turn. Each of the settings I found defaults to the most private setting, not the most public, which is exactly the right move. I gotta say, I found turning off privacy settings instead of having to turn (or leave) them on to be a really empowering feeling.

You’re not a “friend,” you’re an acquaintance!

Moreover, the Blackbox Republic platform makes a native distinction between “friends” (again, like Facebook, or FetLife) and “followers” (like Twitter). When I friend someone, I’m connected to them in a way that I’m not if I just follow someone. I’m not yet certain what the practical distinction between “friending” and “following” are, other than the fact that your view of the people you’re connected with is segmented based on which button you clicked, but I think the distinction is a very appropriate and natural one to embed in the software.

This separation is probably the single most important innovation in the space of social networks as a medium of communication and collaboration that I can point at. I love that I can indicate without ambiguity which people I want to remain in constant communication with and which I simply want to watch from a distance. After all, aren’t at least some of your “friends” on Facebook really just “acquaintances” in reality? I think that for the first time ever in a social network, Blackbox Republic gets this feature right. Now, if only I could figure out what it actually does. :)

What? No on-the-wire encryption?!

With all that being said, there’s still at least one really frightening problem with Blacbox Republic’s careful attention to privacy: as far as I could tell, no part of my session is SSL/TLS encrypted!

Stunningly, for a site that sells privacy, not even Blackbox Republic's login form is on a secure page.

Stunningly, for a site that sells privacy, not even Blackbox Republic's login form is on a secure page.

The entire BlackboxRepublic.com website is served over HTTP, including the login form and—again, as far as I could tell—every page on the inside of the site. This means that it’s trivial for malicious people who don’t even have a Blackbox Republic subscription to intercept, eavesdrop, and modify my interaction with the site. They could watch—and save—private messages between me and one of my friends (or lovers!), for instance.

In Blackbox’s defense, I don’t know of any social network that protects you from this. FetLife is another example of a website that should seriously consider HTTPS-only pages, but as of this writing hasn’t implemented it. Therein lies one of the most frightening oversights in the entire social networking space: regardless of so-called privacy settings, everything you do on the vast majority of social networks, blogs, and other sites on the Internet are the equivalent of passing notes between friends in a classroom. Better hope that big bully who likes to steal your lunch money doesn’t open the note and read it himself while he’s passing along your login details!

The thing is, few other social networking sites place so strong a spotlight on user privacy and security. Since Blackbox Republic seems to be nobly and rightfully holding itself up to a new standard of privacy, I feel justified in pointing out this glaring omission in their service offering. Given everything else they’ve done so well, and how well-aligned the majority of their technical implementation seems to be with their philosophy, this omission came as a big surprise to me.

Until Blackbox Republic only serves HTTPS traffic for all private areas of their site, I can’t make a recommendation in good conscious that it’s the place to be for privacy-conscious people. But again, despite public opinion to the contrary, I’ve never been able to make that claim for FetLife either.

Conclusion

Blackbox Republic is one of the most interesting websites on the Internet today. Its privacy-conscious and sexually open approach to social networking and online dating deserves huge praise. Its technical implementation—although plagued with some glaring oversights for now—is to be seriously respected.

From a social change perspective, I think the site is a mixed bag. Its exclusivity arguably makes the insularity of the sexuality communities an even bigger problem than it already is. On the other hand, the market-value of that very same exclusivity, if steered toward a benevolent purpose, can end up benefiting philanthropic, non-profit, and other sex-positive endeavors that often struggle to find necessary financial support.

Moreover, Blackbox Republic’s internal gifting economy does seem to encourage a sort of altruistic nature among members. How that may or may not translate into increased support for non-commercial activists has yet to be seen. Nay-sayers should remember that this kind of thing simply hasn’t been done before and the net effect could be quite positive.

Having just launched, however, I don’t think Blackbox Republic should be touted as the go-to site for sex-positive people quite yet. Like other social networks, it needs to grow to become truly useful, and its subscription fee business model poses a serious obstacle to many people. I was fortunate to get in with a free “founder” account, but I have mixed feelings about encouraging my friends to join me knowing they—or someone nice enough to “gift” a limited-time subscription to them—will have to pay for the service.

Additionally, its focus on being, well, a black box and its commitment to not allow Google or other search engines to index its internal content simply doesn’t resonate that strongly with me.

Lawrence emphasizes that what members say in Blackbox Republic will stay private. There’s no danger of what they post inside becoming part of their “Google resume,” as he puts it. He says he would resist efforts from search engines to index content the way Facebook and Twitter allow. “The value proposition is this is the first private, large social network out there,” Lawrence says.

Put simply, and noting that I’m probably not the majority case here, I rely on my “Google résumé,” to use Sam’s words, to live the life I want. My lukewarm reaction to this isn’t a criticism of the goal, simply an observation that it turns out I’m not in the ideal target market for Blackbox Republic’s value proposition.

In other words, I think I’m “too out” for this site to be immediately useful to me. The fact that FetLife is not readily available to the public Internet is the single biggest reason why I don’t sign on to that site very often, and so I have the same reason not to spend all that much time behind the curtains of Blackbox Republic.

Nevertheless, many other people do. If you’re among the cross-section of the populace who’d like a sociosexual experience online and would also like to effectively outsource your social reputation management, if you will, but you feel that sites like Facebook just aren’t cutting it, then Blackbox Republic is definitely worth checking out.

If you do check it out, or even if you don’t, I’d love to know what you think in the comments. And if you’re definitely sold, consider signing up via my partner link. Full disclosure: signing up that way earns me a small commission. If you’d rather sign up but not give me a commission for the referral, just register from the front page.

Buy Web Development Books from SitePoint’s 5-for-1 Sale and Donate to Bushfire Relief

leave a comment

For those of you who don’t already know, I’ve been a blogger over at SitePoint for a few months now. Today, I’m even happier to be a participant in the SitePoint community because, for a limited time only, SitePoint is offering the sale of the century: buy 5 SitePoint books for the price of 1. Every last cent of the proceeds from the sale of these books will go towards relief efforts for the recent Victorian bushfires that have claimed over 300 lives and are among the worst fire disasters on record.

The books are full-color PDF downloads, and include some really awesome titles. These are precisely the kinds of books you want as PDFs, too, since you can search through them and always keep them with you while you’re coding and looking for inspiration or a reference (even when you’re without Internet access). I couldn’t help but pounce on this deal, and I’m now the proud owner of the following books, which have all received some pretty great reviews:

In just 3.5 hours, SitePoint has managed to raise over $15,000 AUD, according to employee Kevin Yank on Twitter. And that’s just on this side of the world. All my North hemisphere friends were asleep when this was announced, but not to worry. SitePoint’s sale will last until this Friday, so there’s plenty of time to take advantage of it.

Obviously, I think you should do so. Not only are you getting some really quality content and helping disaster victims at the same time, you’re also sending a loud and clear message that companies whose humanity outshines their accounting are the ones you’re going to support. I’m thrilled to see that SitePoint is one of these human companies, and ever more thrilled to be a part of it.

Written by Meitar

February 10th, 2009 at 8:06 am

SECURITY FAIL: Workamajig.com encourages users to email cleartext passwords

4 comments

Creative agency management tool company Workamajig.com is a sizable operation with an international client base. Their product used to be called “Creative Manager Pro” which I can only assume they changed because it wasn’t actually creative enough. Anyway, it turns out that Workamajig has what is without doubt the absolute worst error message I can possibly think of from a security standpoint.

The error, which is triggered on login regardless of whether or not the username and password you enter are correct (presumably because the issue occurs while trying to authenticate), displays the username and the password the user has entered in cleartext and then (as if that wasn’t bad enough) encourages the user to email this information to their support department!

Yes, we have made the company aware of the problem. No, they have not fixed it yet. Proof in the form of a screen capture from literally 10 minutes ago:

Workamajig.com login error echoes the entered password in cleartext and encourages the user to send this to their support via email.

Workamajig.com login error echoes the entered password in cleartext and encourages the user to send this to their support via email.

No, these are not real credentials, but an uninformed user may very well enter access credentials that are valid. Since this issue is not triggered by invalid credentials, that means valid login information for god knows how many Workamajig user accounts is very likely sitting in the SMTP logs of countless mail servers. Since in many countries these logs are federally mandated to be saved for at least two years, if I were a user of Workamajig I would seriously consider changing my account password ASAP, as well as changing any other account that I used the same password for!

I can’t be sure from this screen shot, but I sincerely hope that user’s passwords are passed around in the application as well as stored on disk as salted cryptographic hashes. Of course, after seeing this, I wouldn’t be shocked if that wasn’t the case. The good news is that the login screen to their application is only accessible with an SSL/TLS connection, which does prevent someone from snooping on the wire. Nevertheless, there are still many attack vectors that SSL/TLS doesn’t protect against if the rest of the application is not secure or, say, if you’re encouraged to bypass those protections by sending emails with sensitive data in order to request technical support.

Anyway, hopefully this gets fixed sooner rather than later. At the very least, don’t encourage users to email cleartext passwords. That is pretty much always a Very Bad Thing.

Update: It took only a couple of days for Workamajig to notice this blog post, which is great because it means I woke up to a forwarded email in my inbox in which a Workamajig representative said:

On the issue of showing the user id and password in an error message, [we] will be changing the way that error message is displayed. […] Just to clarify the user id and password is just on the screen of the user that is logged in, and that message to copy and paste is a standard messages and it is just intended for you to copy and paste the error message; you are not required to send the user id and password.

I haven’t encountered the same issue again (but then again I only tried to login to my account twice in between then and now), so I can’t verify that the error message really has changed but I’d give Workamajig the benefit of the doubt. If you’re using Workamajig and notice a change in the way this login error is handled before I do, leave a comment to let me know it’s really been changed.

Written by Meitar

October 22nd, 2008 at 3:29 am

YubiKey and OpenID: Two great tastes that taste better together

one comment

In some communities, this is sort of old news, however I’ve recently become aware of an exciting and affordable security product called the YubiKey, manufactured by Yubico. The YubiKey is a $35 USD one-time password second-factor authentication token that uses 128-bit AES encryption to provide identity verification. That’s a mouthful, but what it really means is this: using a YubiKey to log in to stuff makes your logins about as secure as a military installation. Here’s how.

When you log in to just about any Web site or Internet-enabled service, say Basecamp for example, you traditionally simply type in a user name and matching password. This is known as one-factor authentication because all you need to do to log in successfully is use a matching pair of user names and their passwords. Since the user name is not hidden, the only piece of the puzzle that’s providing any security is your password.

Now, a password is something you have to remember, so this factor is called "something you know." Of course, if someone else also knows your password, this means that person can log in pretending to be you. Thus enters the need for a second factor for authentication.

The YubiKey is a physical USB fob device with a unique ID. That is, each YubiKey in the world has its own ID, meaning that no two are identical. This implies that if you have a YubiKey with you, no one else can have that same YubiKey anywhere else in the universe. Thus, this gives you a second factor with which to authenticate yourself, specifically it’s "something you have."

When you combine something you know (for instance, a password) with something you have (such as a YubiKey), you have two-factor authentication. Authenticating yourself with both of these factors is obviously more secure than relying solely on one factor because in order to compromise it an attacker needs to compromise both factors; the attacker would need to know what you know (figure out your password) and steal something you have (physically obtain your YubiKey).

If you’re familiar with one-time credit cards such as those that PayPal offers, you can think of the YubiKey like one of these cards, but instead of being used to make online purchases, it’s used for logging into stuff (and, of course, you don’t need more than one physical YubiKey). Of course, for authentication to work with the YubiKey the application or service you are logging into has to be able to understand that you’re using one of these authentication devices.

The good news here is that the entire process of using a YubiKey is a well-documented, open-source, and open-spec scheme so it’s easy for service providers to implement. And, because Yubico is also an OpenID identity provider, you can use your YubiKey to log into any site that supports the OpenID protocol right now, such as (you guessed it) Basecamp! There’s even a WordPress YubiKey plugin so you could theoretically use your YubiKey to secure your authentication to any of your WordPress blogs.

The YubiKey spec is, itself, completely independant of the OpenID spec and vice versa, which is what makes the combination so formidable. What’s so cool about this process is that the site you’re authenticating to, such as Basecamp or your WordPress blog, doesn’t have to know anything about how you’re authenticating because the OpenID provider (Yubico in this example) simply returns the answer—a perfect example of a well-constructed API at work. Either you have successfully authenticated to your OpenID provider or you haven’t, and the site can respond accordingly.

And if that’s not cool enough, want to know the coolest thing about the YubiKey? It’s environmentally friendly! The YubiKey web site states that the robust, ultra-thin and battery-free design increases lifetime and reduces environmental impact.

I’m more than seriously considering getting one of these myself, and even beyond that, getting one for all of my fellow site editors on some of the community web sites I help maintain. This is especially important for sites dealing in confidential or otherwise sensitive information, such as those which hold financial records or have other privacy concerns. Securing the authentication of privileged users such as the site administrators seems a natural step.

Even better yet, because the only cost to implementing this system is developer resources and the cost of the physical YubiKey device, I’m also seriously considering baking this right into any new sites I develop. At $35, a YubiKey is actually cheaper than an SSL certificate, and even though they don’t protect against all the same attack vectors, I think a device like the YubiKey is clearly a vastly superior solution in the majority of use cases.

I never really had a compelling reason to begin to propagate an OpenID identity before but now, at last, I do.

Written by Meitar

September 1st, 2008 at 12:08 pm

Productivity: It’s not what you do, it’s how you do it, and twentysomethings do it better

one comment

I don’t believe I have ever before posted an entry that, for all intents and purposes, is just a link to another blog post. However, this blog post is simply so brilliant and yet so short and easily-digestable, that I have nothing more to say. Thus: Twentysomething: 7 Reasons Why My Generation Is More Productive Than Yours.

By those definitions, I’ve been a productive twentysomething-year-old since I was a pre-teen, which just goes to show you that age has nothing to do with it. Damn straight.

Written by Meitar

August 4th, 2008 at 10:20 am

A web developer’s introduction to the Apple WikiServer (part 1)

10 comments

I absolutely love wikis, so when Apple introduced Mac OS X Server 10.5 “Leopard,” one of the new features I was really excited about was “WikiServer” (what the Apple marketing department calls “Teams”). I’m calling this specifically the Apple WikiServer in order to avoid confusion with the pre-existing wiki plus web server package called WikiServer.

Apple WikiServer: Mac OS X Server’s built-in Intranet builder

At work, I’m finally getting the opportunity to try the Apple WikiServer out. Its strongest asset, by far, is the integration it has with Apple’s Mac OS X permission scheme. Apple WikiServer makes heavy use of the OS’s built-in user accounts to define users and groups, and the permissions those users and groups have to edit, view, and comment on pages in the wiki you create with it. And, because Leopard Server has full support for Access Control Lists, those permissions schemes can be as complex as you like.

This is very important because many large (and small) organizations have sensitive material that they’d like to keep private, or restricted to certain groups. Historically, wikis are a free-for-all. Anyone and everyone who has access to any part of the wiki can change any other part of the wiki. Recent wiki implementations such as later version of MediaWiki and some other wiki software have implemented permissions systems to allow administrative users to control access rights, but these are often complicated or require code-level configurations.

With Apple’s WikiServer, all of these permissions can be managed via the Workgroup Manager application, and because you can take advantage of the built-in ACL support, you can model your organizations permissions scheme directly in the Server OS permissions structure, giving you a much easier way to control information access. Take note, however, that like almost all other things that have to do with your Apache configurations, your Server’s Web Service will likely need to be stopped and started again for any changes you make to a wiki’s permissions take effect.

The Workgroup Manager application is also where you go to create new wikis for groups. To enable a wiki, you need to already have created a group and assigned users to that group. For instance, I created a Developer Wiki where all of the in-house developers can share tech tips, so I created a group called “Developers” and assigned individual developers, as well as the company executives (by way of the “Executives” group) to that group. The group-within-a-group technique is key, because if the company executives change, the members of the Developers group does not need to change, too. In all of Apple’s publications, Apple refers to the wikis hosted by WikiServer as an “intranet website.”

It’s clear that Apple intended this product for use within small companies, and not necessarily out on the open Internet. What follows are just a few notes I’ve compiled about how the Apple WikiServer works.

Front-end Code Generation from the Apple WikiServer WYSIWYG Editor

The Apple wikis are very nice to use. Their functionality is relatively straightforward to find and activate. However, the HTML code that the Apple wikis generate can be a little confusing. By default, new page text is entered into a semantically meaningless <div> element. This can be changed by highlighting text and then selecting “Paragraph” from the formatting toolbar. Subsequent paragraphs that are typed seem to then use <p> elements. However, some paragraphs revert back to <div>s when I used it, and I’m still not sure why or when this occurred.

On the plus side, so far, all the browsers I’ve used with the Apple WikiServer function the same way. This include Firefox 2, Safari 3.1, and Internet Explorer 6 and 7.

Typing actual code and having it marked up as such can’t be done in the GUI formatting toolbar to select a <code> element. The “Monospace” item in the text formatting toolbar creates <pre> elements and <pre> elements only. However, Apple does provide a “Switch to HTML view” button (the arrow brackets button) and one can enter standard HTML, including <code>…</code> elements in that view, and then switch back. This behaves perfectly on all browsers except Internet Explorer, in which your text area field shows no line breaks whatsoever.

Apple’s WYSIWYG editor handles escaping special characters when those special characters have HTML entity reference equivalents, such as double quotes (“), arrow brackets (< and >), and ampersands (&). It does not seem to handle Unicode characters, such as the ellipses in the prior paragraph. However, such Unicode characters need not be escaped as long as the document’s character set is UTF-8 (or UTF-16), which the Apple WikiServer specifies and supports out of the box.

Pressing the Return key twice causes the Apple wiki to generate an empty <div> or <p> element with an explicit break (<br />) inside of it. One can deduce that this is a design choice in order to help transition users who are used to plain <textarea /> inputs to Apple’s WYSIWYG editor. It’s also the only way to space paragraphs properly if the user hasn’t selected the “Paragraph” option in the text formatting toolbar. Otherwise, simply hitting the Return key once is enough to space paragraphs apart properly (i.e., the functionality is equivalent to the way Microsoft Word or Pages handles paragraph breaks).

Interestingly, the “Enter URL…” functionality form the toolbar is smarter than one might first assume. For instance, it recognizes email address and prepends a mailto: scheme to the link if it finds one. This is contrary to what the Apple-provided manual states, which tells you to enter the “mailto:” portion as part of the URL. In fact, you should omit this, else your final mailto link will actually read “mailto:mailto:your.email@address.com”.

This means linking to “mailto: links” is as simple as typing an email address. Similarly, the WYSIWYG doesn’t complain if your fully-qualified URL doesn’t include a scheme, so you can enter //apple.com/ and the subsequent link is generated as <a href="//apple.com/">Link text</a>. This is one step above and beyond even WordPress’s new WYSIWYG editor, which forcefully prepends an http: scheme to URLs without one.

For the most part, copy-and-paste works as expected, except in cases where the WYSIWYG editor does not understand the current formatting, such as a specific font and (and this is a biggie) for links. At first, the editor will appear to show that the formatting (including links) is saved, but when you actually save the page, only the formatting that the WYSIWYG editor understands is actually saved. Worse, all your links are turned into underlined—but unlinked—text. In short, this means that if you are copying and pasting page content that contains links, you need to do so in the HTML view of the page editor.

Inexplicably, the editor generates <i> and <b> tags for italics and bold, instead of the preferred <em> and <strong> elements. I’m not sure I understand why this is the case. There does exist a an “emphasis” option in the toolbar, as does an “important” option, but these generate strange spans instead. The “Important” item wraps the selected text inside a <span class=”Apple-style-span custom_forecolor_important”>…</span> and the “Emphasis” item wraps the selected text inside a <span class=”Apple-style-span custom_forecolor_emphasis”>…</span> element.

There’s also one other item, “Highlight,” which wraps the selected text inside of a <span class=”Apple-style-span custom_backcolor_highlight”>…</span> element.

The only explanation that makes sense to me, after much speculation, is that perhaps Apple does not want to encode semantic information such as what <em> and <strong> would imply from users who use a WYSIWYG editor. This shows either a blatant distrust of users or incredible foresight. I’m not sure which.

Page names and URLs

Currently, the search functionality built into Apple’s WikiServer only searches on the text of a page’s title.

Apple’s WikiServer generates unique page names for each new wiki page. These names consist of two parts, but only one seems to make any difference. For example, if you create a new Wiki page called “Hello”, you might get an address in your web browser’s location bar that looks like this:

http://your-server.local/groups/your-group-name/wiki/1d06a/Hello.html

Most of this is standard URL stuff (the protocol, the server address), and most of the rest is self-explanatory (the group name, the wiki section). The important bits in this URL are the last two:

  • 1d06a
  • Hello.html

Obviously, “Hello.html” came from the fact that you named your new page “Hello”. WikiServer appended “.html” on its own. The other bit, the short string of random characters, is a unique identifier used across all of this group’s web services (the wiki, blog, calendar, and mail list, if these other services are enabled) to uniquely identify this page. What’s interesting about this is that only the unique string of characters seems to matter in regards to accessing the page. That is, if you next ask for:

http://your-server.local/groups/your-group-name/wiki/1d06a/Some-Random-Page.html

you’ll still get the same “Hello.html” page from before, even though you’re seemingly asking for “Some-Random-Page.html”. In fact, it doesn’t seem to matter what you replace “Some-Random-Page” with. So long as there is some text in that part of the URL, that the URL ends with “.html” and that the unique identifier remains untouched, you’ll always end up retrieving the “Hello.html” page.

This means that if you change this page’s name later to, for instance, “Hello world”, old links that point to “…/1d06a/Hello.html” will continue to work, even while new links will start to point at “…/1d06a/Hello_world.html”. From a usability perspective, this is simple and effective; it ensures that users have a reminder of what the page is about by looking at the last part of the URL. However, once page names change, it becomes a bit non-optimal, because the same page can be referred to by multiple names—a “no-no” in the SEO world and a practice discouraged by most semantic-web types.

I would imagine that Apple made this design decision because the company envisioned their WikiServer to be used, again, primarily in intranet and SOHO environments, and as a result are not too concerned with search engine optimization. As an aside, this unique string is also how Apple’s WikiServer identifies the stored content on the filesystem. Read on for more details.

Hacking the Apple WikiServer

There isn’t a lot of information out on the Web right now about how to work with the WikiServer, especially for developers. Therefore, some digging is needed. After a bit of research, I discovered the following key directories that the WikiServer uses. They are as follows:

  • /usr/share/collaboration - This has a few developer tool support files as well as the majority of the client-side code for the Wiki (javascripts, etc).
  • /usr/share/wikid - This directory holds the Python sources and compiled bytecode for all the “Teams” components (including wiki, blog, calendar, etc.). It seems to run on Twisted and a number of other familiar-sounding components.
  • /Library/Application Support/Apple/WikiServer - This is where most the data is stored, inside of plist files and a few others. The Themes subdirectory here is where Apple recommends that look-and-feel changes be made.
  • /Library/Collaboration – This is the default data storage location for all the “Teams” components. The actual content of the wikis and blogs will be kept somewhere in this directory, which means that this is the directory you want to backup to backup the content of your wikis. This location is the only user-configurable one of the bunch. To change it, change the “Data Store” value in Server Admin. (A more detailed listing of this directory hierarchy is available on page 62 of the Mac OS X Server Web Technologies Administration For Version 10.5 Leopard manual.)

If you take a peek at the /Library/Collaboration directory, and follow that into the Groups/your-group-name/wiki directory, you’ll find a list of all the pages in your wiki stored as .page bundles, identified with the unique character string WikiServer generated when it first created the page.

It should be noted that anything in the /usr/share directory will likely be overridden whenever Apple releases an update that modifies the WikiServer. As a result, any and all changes you make to WikiServer’s templates or themes should be done by creating new files in the /Library/Application Support/Apple/WikiServer/Themes directory.

It’s interesting to note that the WikiServer seems to use Python for its back-end processing. This may open up some interesting integration possibilities for Python programmers in the future.

More help eslewhere

Even though Apple WikiServer is relatively new, there’s a load of helpful information about it on the web. Most of the good stuff is on Apple’s own Discussions boards, but more and more info is beginning to show up on blog posts. A Google search should give you what you need. For the really lazy, however, here are a few helpful items:

This was just a brief introduction to WikiServer from some notes I’ve been collecting in my experimentations, but I hope it’s helpful to someone somewhere. Cheers. Or, continue to Part 2.

Written by Meitar

April 5th, 2008 at 5:10 am

Service-oriented Internet companies and porn: Ning gets it right

leave a comment

I think it’s important—for a lot of reasons—to let people do what they want rather than to try to force people to do what you think is right. Ning is a company that gets it:

In a nutshell, we aren’t pro-porn, but we are pro-freedom.

To prevent porn, you have to take an activist stand against freedom of expression — you have to get in there and judge content, judge people, judge intent, and take action based on your judgments. I would never criticize a company for doing so, but I don’t want to do that, and we as a company don’t want to do that.

We think a better approach is to let people fundamentally do what they want, as long as it isn’t illegal and doesn’t otherwise violate our terms of service.

A heartfelt applause to Marc and everyone at Ning for putting their user’s personal choices ahead of their own. It’s not only good social justice, it’s excellent business.

Marc even provides some history:

From the very beginning of the Internet as a mass medium, porn has been present, and all of the Internet companies that have come before us have had to figure out where they stand.

[…]

[D]uring my time at AOL, I was fascinated to see how AOL dealt with porn. AOL had to balance two facts. One, their entire marketing thrust to be a mass market service meant that they had to come across as — and be — highly family-friendly. And in fact, they did a lot of work with parental controls and other features to make sure that families would use AOL safely. But the other fact was that a huge part of AOL’s actual usage all through the 90′s was for adult content — chat rooms, bulletin boards, and all the rest.

In practice, I think they balanced those two facts quite well — AOL could be used as a family-friendly service or as an open environment for people to do whatever they want, and it worked quite well for everyone.

This is a model that Yahoo then followed, and Google more recently.

Yahoo has always had an enormous amount of adult activity and material — some estimates are that as much as half of Yahoo Groups’ activity is adult in nature, for example.

And Google of course famously crawls and serves up search results and images for all kinds of adult topics, among every other topic in the world.

In light of many high-profile anti-porn practices by social networking sites such as MySpace, Facebook, and to a lesser degree, LiveJournal, it’s great to see that at least one company has put its own business ahead of other people’s politics. It’s precisely that sort of thing that’s made Marc an entrepreneurial blockbuster time and time again.

And frankly, I think the social agenda called freedom is just as important.

Via Susan Mernit

Written by Meitar

January 8th, 2008 at 3:24 am

Culture of work ’til you drop

leave a comment

I heard a crazy thing today.

There is an expectation of overtime in [the technology] industry. I don’t think anyone’s surprised by that.

Um, I’m surprised by that. That’s why they call it overtime. It’s over(what is expected)time. Otherwise it would just be called moretime or something that doesn’t imply the fact that a particular measurement has been exceeded.

Of course, I’m not really surprised by that. I have been facing this expectation ever since I began working at 16, and since then I have been working some “overtime” hours, most of them unpaid. Surprised? No. Incredulous? Yes.

It strikes me as particularly insane to let my lack of surprise for such a thing turn into complacency, as the vast majority of people I have always shared office space with have seemed to do. Some go so far as to volunteer overtime hours, which always leaves me with a puzzled look on my face.

One of the primary issues for me is to have some choice in the matter. Flexibility is freeing (even if it has to be legislated), and enhances productiveness by increasing a worker’s efficiency. An expectation of overtime (or anything) is accompanied with an implicit ultimatim: do X or else Y. This is even more evident when other people volunteer X and I don’t, and it creates an environment that culturally strengthens the expectation of X. There’s a phrase for this: it’s called peer pressure.

American workers are indoctrinated with a system of reward: “work hard—play hard.” This is not really so bad, it models the reality of many situations quite realistically (i.e., not everything is perfect or enjoyable all the time), and it’s generally a good if simplistic approach to a holistic life.

Until you realize that this work culture places more importance on work than on play. This is a Bad Thing. The reason this is so bad is because it informs every decision employers (and to my astonishment, many employees) make: that they should always sacrifice “play” in favor of “work” because the latter is percieved as more important.

Now, I realize to most of my colleagues and fellow white-collar Americans I am probably being written off as a lazy slob right about now, and I suppose there’s little avoiding that. However, if that is what you are doing I will challenge you to consider the following question: If work is so much more important than play, why the incredibly passionate concerns over quality of life, or fulfillment, or happiness, or personal satisfaction? Are you happy with your job? Does it provide for you these things you say you seek?

If so, I envy you, as do the massively overwhelming majority of other employed people. The sad truth is that for most people, many of whom don’t even know what it is they want (myself included to some degree), expectations of work being more important to me than, well, the rest of me, are absurd.

I am not saying that working jobs you don’t really want frees you of the comittments you made to tasks you have, if you have made such comittments. What I am saying is that the (ridiculous) expecation of work being more important doesn’t change those comittments. In other words, if I have a full-time job, I should be working whatever the definition of “full-time,” which in New York City is 40 hours per week. Working one minute over those 40 hours is, and should always be expected to be, optional.

Right now, that isn’t really the case, and it’s unfortunate because the rather arbitrary dogma of the 9-5 for every conceivable working environment set forth by Henry Ford in the early 1900′s is rapidly becoming ever more inappropriate to today’s working conditions. As the New Zealand Herald article I linked to above says:

“If employers were able to vary their working hours, and work more often from home, there would be real social, environmental as well as economic benefits,” Ms Kedgley said.

I sincerely believe this is true, and I can’t for the life of me figure out why it’s such a foreign concept to most people. Even the people who talk about “work-life balance” often talk about it in a way that shows they clearly separate the idea of work from the idea of life. Instead, I think work should be viewed not as a “necessary evil” that just happens to be a part of life, but rather that people need to be enabled to find the ways that makes working, y’know, work for them.

Succeeding in that can only cause Good Things to happen for everyone.

Written by Meitar

November 21st, 2007 at 7:04 pm