Why I am publicly disassociating myself from the Recurse Center

Posted here is an email I broadcast to the entire Recurse Center alumni community, of which I was a part, through their internal email list serve called Community (source code). The subject of the email was “Why I am disassociating myself from the Recurse Center.” Predictable spoiler alert: after sending this email, RC faculty has “removed” (banned) me. ¯\_(ツ)_/¯

I was accepted to the Recurse Center in the Fall 2, 2016 batch. Half-way through my batch, I was so heartbroken by what I found that I stopped showing up. I dropped out of RC because I found it to be, at its best, a diluted but essentially identical version of the Silicon Valley culture that I had already vehemently rejected years before.

I realize many of you have had very good experiences at RC. I have had some good experiences, as well. A number of my very good friends are RC alumni, people with whom I share political views, go out drinking with, and hack on projects with. However, I can do all that outside of RC, in spaces that I feel are just *better* than the Recurse Center’s community is.

This week, I made a rare re-appearance at RC by posting a request for hardware donations to the New York region’s Community thread in order to resource a small, community-run computer lab that I and some friends are helping to build and administer. This is the second time I have made such a request of the RC community, the last time being in 2017. I’m very heartened to see that, both times, a number of RC community members generously offered their help and I am happy to be coordinating an equipment pickup for later this week.

Thank you so much to everyone who has made my time at and involvement in RC better. As I understand it, this kind of generosity—where we approach one another in good faith and support one another’s efforts to become increasingly skilled technologists—is what RC should be all about. It’s why we were all members of the RC community. I will genuinely miss the opportunity to meet the many well-meaning people that having access to private RC discussion channels provides.

Unfortunately, very quickly after I posted to the Community forum regarding my interest in your unused, old hardware, someone replied asking me to effectively prove my worth as a recipient of their electronic waste. As strange as it might sound, they cited the possibility that I might be using RC’ers’ donated electronic garbage as part of a monetized YouTube channel to fund a Machine Learning startup. This is even funnier for those of you know that know even the faintest bit about me and my deeply held radical Anarcho anti-capitalist, anti tech-industry leanings.

Here’s the thing: this kind of response strikes me as being directly in opposition to the purpose of RC as a community in the first place. The response I got might have been appropriate had I posted on CraigsList. But a closed, pre-screened community like the Recurse Center?

Sadly, this is not the only incident spurring my choice to formally distance myself from RC. It is just the most recent. Enumerating all the times I witnessed disappointing behavior from respected RC community members isn’t the point of this message (but I will happily do so in private conversation should anyone feel the desire to reach out to me to learn more) so it is enough for me to say that I recognize a pattern of behavior in the RC community that makes me deeply uncomfortable. This is a pattern I routinely see elsewhere as well, especially in largely upper-middle class, predominantly white, neoliberal spaces such as RC. These patterns are even more pronounced in “tech/developer” spaces. The prevalence of and the unwillingness to acknowledge this pattern is precisely why I am not a member of almost any space or community that meets this description.

Like clockwork, after expressing my anger at being told to provide “indicators of trustworthiness” sufficient enough to be bestowed the honor of receiving discarded electronic waste from this man, the “let’s all engage rationally” peace-police arrived and told me I was “arguing when I could have engaged” with this man’s demands. Here’s the thing: there’s nothing to engage with. It is my firm belief that people who demand that I prove my worth to them for the opportunity to maybe, if I meet their standards, receive their waste, *are not worth engaging with*. This does not seem to me like something that should be a controversial position. Moreover, communities in which respected, well-to-do members treat an expression of anger at being demanded such a thing to be so unacceptable as to defend the demand suffer from a systemic pacifist neoliberal poison that I believe is harmful to society at large and know is personally stressful for me to be exposed to.

The Recurse Center was, for the past three years, sometimes the one exception to the prevalence of this toxic behavior for me. I know for a fact that it is the one exception for *many* technologists such as myself, because I have had many conversations with RC’ers who told me as such. While I never spoke in exclusively positive terms about the Recurse Center, I also largely kept to myself about its faults unless I was asked directly and, even then, I saw fit to temper my dislike with caveats like “your mileage may vary.” It was, and probably still is, “the best of the tech communities.” Unfortunately, at their absolute best and as RC demonstrates elegantly, “tech communities” are essentially abusive neoliberal cesspools that are pathologically unwilling to critically self-reflect deeply enough for long enough to meaningfully alter themselves for the better.

During my batch at RC, I was homeless and hungry. This is not an exaggeration. (I wrote the Penniless Recurser’s Survival Guide on the RC Wiki wiki [ed. also now extracted and republished in original Markdown format my blog, here] partly to document what the experience.) I found shelter on couches (endless thanks to few RC’ers who let me crash with them!) and in parks. For a community like RC to have little to no apparent problem with an actual Google employee demanding that a genderqueer poor person justify their request for literal electronic garbage, and then express more consternation over that poor person’s vocal objection to be treated in such a manner, is an extremely violent position to hold. I would respectfully submit that y’all should investigate that shit.

Over the past two years, I have had a very difficult time biting my tongue when things similar to the response I got to my request for unused hardware have happened. I recall the evening I sat in the RC library when the news of Trump’s election shocked (SHOCKED! I say!) the majority of the (white, male) RC community. I bit my tongue harder, tempered my words when I spoke, but largely simply decided not to spend that much time at RC or checking Zulip anymore. The message has always been clear: “This isn’t a space for politics.”

I see little wrong with RC’s choice to be more-or-less actively apolitical—and that is how I see it; I know a lot of RC’ers believe RC is actually quite actively progressive, to which I can only scoff to myself at the meekness of those expressed politics—nor do I see it as my place to attempt to change the RC community writ large. Again, that’s why you haven’t really seen me participate in RC since I left my 2016 batch.

Inevitably, though, my presence and actions causes some sort of existential angst. Even when what I initiate at RC is as innocuous as a request for donated electronics, the result is an uncomfortable confrontation. So uncomfortable that someone completely uninvolved, someone at whom no statement from either party was directed, felt the need to jump in. So uncomfortable that, a day later, RC’s staff sends me the following email, reprinted here in full:

Hi may may,

I have some feedback on your recent posts on Community.

First, I really appreciated your initial post requesting donations. It was thoughtful and detailed. Thank you for sending it.

Your subsequent posts were mean-spirited, unnecessarily personal, and inappropriate for RC. Specifically, saying things like “I’d probably expel you from a session I was running,” and “that’s your therapy session topic,” are unacceptable things to say in the RC community. They’re mean, you could have easily made your point without them, and are against the spirit of our code of conduct – specifically the part that reads “Be kind to others. Do not insult or put down other Recursers.” It’s also inappropriate to argue in bad faith.

It is important to us that you commit to not doing these things in the future in RC community spaces. Is this something you can commit to?

Thanks,
Dave

P.S. I have also emailed Sidney with feedback on his posts and to tell him that he should have done more to assume good intentions on your part.

Now let me take the opportunity to say directly to Dave: thank you for your feedback on my recent posts on Community. I am pleased to hear that you appreciated my initial post. :)

I disagree with you that my subsequent posts were unnecessarily personal. I was and am angry, and I believe I have every right and reason both to be angry and to express that anger in exactly the way that I did. I further believe that if these specific expressions are “unacceptable things to say in the RC community” then the RC community is either not the place it claims to be, or my understanding of RC as a place where people are treated like the complex adults that they are has always been inaccurate. In either case, RC is clearly not the place for me, because the only “bad faith” involved in this most recent interaction was Sidney’s behavior demanding that a member of the community with equal standing as he has justify a request for receipt of literal trash.

To be clear, David, I will absolutely not commit to not being “mean” by your standards when I am put down in this way. Furthermore, I find it offensive and extremely infantilizing that you would speak to me in the manner that you did. You are not my employer, nor am I in your kindergarten class.

My time at RC over the past years has continued to dwindle, and the benefits for me in my involvement now amount to occasionally asking if anyone has unused hardware they’re willing to give away. I now have a number of relationships with others—some who are and many who are not involved with RC themselves—in which to grow as a programmer, explore my interest in computer systems, and experiment with new and exciting tools and techniques in new and exciting ways. This is in part due to the massive amount of work I and some close friends have done over the last couple of years to create and protect a space that is in some ways similar to RC, but without what we see as its worse elements.

I have no doubt that for many people, RC is still the only outlet they have for this kind of comfortable exploration. If I did not have the access I do to these other spaces where, for example, simply being angry is not treated like a personal failing, I would probably feel much more trepidatious about sending this very message to the RC community. Thankfully, RC is no longer “the best of tech communities” that I can personally participate in. There are a couple of much, much better ones where I vastly prefer to spend my time, energy, and attention.

For all of the above reasons, it is with quite a bit of heartbreak but zero regret that I am publicly disassociating myself from the Recurse Center.

To anyone who feels as I do, please feel free to reach out to me via Signal Private Messenger message at (323) 963-4827, via email, or (for as long as my Zulip account remains active) via private message on Zulip. I’d be happy to discuss further details of any of this with those of you who feel that better communities can and should be more common and more accessible.

With respect,
-may may

Following is a full republication of the Community threads referenced in the above posting.

From 2019:

may may – F2’16, posted on Feb 03, 2019:

Hi all,

In 2017, I asked for spare hardware to help start a small community-run computer lab and many of you donated Raspberry Pi SBCs, old Wi-Fi routers, and other equipment. I am pleased to say that we were able to use these donations to build a small network that now powers occasional free computer classes, hosts a small resource library of DRM-free e-books, and provides a few other networked services. We’ve seen such incredible interest in the project that now we are looking for more hardware to expand the lab.

In particular, we are looking for 1 or 2 TB hard disk drives in order to provide a NAS (or NAS-like) video storage server for the computer lab. (A lot of people are interested in learning about video editing, unsurprisingly.) So once again I am asking if the RC community has spare or aging hardware that you would be willing to donate for a non-profit community project such as this one.

Myself or one of our project partners can come to you to pick up the hardware, or we can meet at a place and time that is convenient for you. We are hoping to acquire:

  • Hard drives (1 TB or 2 TB SATA HDDs of any quality, we can wipe them for you using DBAN or nwipe).
  • Single board computers of any make and model, Raspberry Pi 3 Mobel B+ especially desired
  • Cell phone chargers (5 volt 2.5 amp output with microUSB port is ideal)
  • Old routers/switches/hubs, and/or network cables
  • Internal computer parts; SATA cables especially (I am helping them build a RAID or ZFS RAIDZ array for their video library server), PCI video cards, etc.
  • Video cabling (VGA/DVI/HDMI), adapters, etc.
  • Old laptops and tower PC grayboxes of any make and model

Basically, if you have any hardware you want to get rid of and would rather see put to a good use over becoming a growing pile of garbage, please let me know. :) We are especially seeking hard drives to expand the storage capacity for student materials but will also gratefully accept other electronics, storage media (SD cards from old camers, etc), padlocks (with or without keys), and whatever else you have that we can make use of.

Please message me off-list (you can PM me on Zulip but I far prefer Signal messages to 323-963-4827, get Signal at Signal.org :) if you have something you’d like to donate.

Thanks in advance,
-m

Sidney San Martín – W’ 12, posted on Feb 03, 2019:

Could you share information about the community center/lab?

(I’m okay with you rejecting 501(c) as an indicator of trustworthiness, as mentioned in your linked post, if you can offer another trust indicator.)

may may – F2’16, posted on Feb 03, 2019:

Could you share information about the community center/lab?

What information are you seeking? There is no website. It is just a room in a neighborhood with a bunch of computers where locals sometimes gather and where I and others sometimes hang out and help folks learn things.

(I’m okay with you rejecting 501(c) as an indicator of trustworthiness, as mentioned in your linked post, if you can offer another trust indicator.)

Hmm. What would you consider an “indicator of trustworthiness” that meets the minimum bar for you to want to give me your unused electronic garbage? :)

[REDACTED] posted on Feb 03:

Considering the community-oriented projects may may was doing during batch and after, I am absolutely convinced that anything donated will be used as described. <3 When I am ready to let my Macbook Air go, it’ll go to you and your crew, may may :D

may may – F2’16, posted on Feb 03, 2019:

:) Thanks, @[REDACTED].

TBQH, I am still curious—for future reference—what kind of trust indicators are needed to receive donations of unused electronics, since I often ask for hand me down hardware from a variety of sources. That said, I would also understand if minimum trust requirements for this sort of activity are hard to quantify. :)

Sidney San Martín – W’ 12, posted on Feb 03, 2019:

@may may Hmm. Definitely hard to quantify, and I left it vague in case you had any ideas, but I’ll fill in what I can from my own thoughts.

Details felt conspicuously absent. I lack information about the location or intended audience, or why you would prefer to not share those things. Examples of statements that might have increased my trust:

  • “We’re located in [neighborhood] and most of the people involved so far are [group name/attributes] trying to [goal]. If you know anyone who might enjoy spending time there, taking a class, hosting a network service, or exploring our DRM-free library, message me off-list.”
  • “I am using this space to study alternative social structures, with a side interest in the up-to-date security practices of banks, the State, and large corporations.”
  • “My friends and I experiment here. There’s no intended benefit to any larger community, but if that’s okay with you, we’d love to take your electronic garbage :).”

Each of these statements gives me the chance to be turned off from contributing, which shows some trust in me as the reader, versus feeling like you don’t trust me to make a judgement call. Mentioning past, present, or planned projects, classes, network services, favorite e-books in the library, etc. might help. Statements of support from other RCers, like Veronica’s, do help.

Essentially the question I’m trying to answer is: “Is donating to @may may‘s project consistent with my own values, and, if I commit to taking the time to dig up my electronic garbage, do I know anyone else who might do more good with it?”

may may – F2’16, posted on Feb 04, 2019:

I see. Essentially, what I am hearing is that you want a chance to ensure that the electronics you (still theoretically, I might add—do you actually have hardware you’d like to not-have in the near future or is this just a hypothetical inquiry into my “indicators of trustworthiness” for you?) supposedly want to get rid of are going to be used in a manner of your choosing or by people you deem worthy of access to the equipment. This smacks of the patronizing way certain people talk about wanting to ensure the dollar bill they oh-so-painstakingly spent their oh-so-precious time digging out of their wallet to give a homeless person “won’t be spent on booze and drugs.”

Sorry, but I can give you no such guarantee, nor would I even if I could. For one thing, beyond the details I gave in my original post, I do not actually know what will happen. For another, I do not think it should matter. Are we going to use donated hardware to build a terrorist datacenter? Will your discarded HDD be filled with porn and torrents? Maybe! :D Or maybe not! Let’s find out.

Of course, this is ultimately what is meant by seeking donations of hardware. You are being asked if you would like to give something away. You are not being invited to monitor its use or audit its recipients.

If one wants to retain some control or oversight regarding how a thing one has is used, or wishes to investigate the worthiness of its recipients, that’s your therapy session topic, but I think it’s self-evident that such a person is clearly not motivated by the desire to rid themselves of the object in question in the first place. The giving of the item is at best a side effect; the true purpose of such an act is clearly something less simple, less noble, or both. It might even be interesting to examine how retaining some control over how a resource one has gets used is the kind of behavior that is more akin to a sponsorship than a donation, something companies like Google might do. 🤔 But I digress.

All that being said, here are some things I can tell you about me and what I’m up to that may be sufficient “indicators of trustworthiness” (or untrustworthiness) for you:

  • My friends and I who are involved in this little computer lab project share an ethos that is radically anti-capitalist and (speaking for myself only) explicitly Anarchist, which is probably not surprising if you read my linked post from 2017 or glanced at my RC People Directory profile.
  • We are building this little network for a grand total of $0, partly out of principle and partly simply because we can. The principle of the thing is partly spurred on because doing it “for free” gives a lot of poor and less affluent people quite a bit of hope when we show them something they find cool and tell them it can be built for “zero of their own dollars” simply by sifting through richer people’s trash and knowing what you’re doing with the parts you find. Most folks don’t realize how powerful off the shelf components are these days, so it’s a real “aha moment” for people who genuinely don’t have $200 to spare for an used laptop. It’s also a big hit with the Right-To-Repair crowd, with which we have some crossover, philosophically speaking.
  • We have and continue to generally expel most techies (so far all have been men) from our workshops, since in our experiences they tend to behave in condescending and entitled ways that many of us feel contributes to an atmosphere that makes it difficult to grow our technical skills and have fun exploring computer systems. They also talk a lot (usually by interrupting someone else or posing endless “what-ifs” and “what-abouts” hypotheticals) but basically never have something relevant to contribute. They also have all been really bad at sharing (teaching) what they do know, which is kind of the whole point of the community computer lab in the first place.
  • Sometimes we just give hardware away, too. For example, a few weeks ago, we prepared a Raspbian NOOBS SD card and gifted it along with a spare RPi, half-broken VGA video monitor, and mismatched USB keyboard and mouse set to a friend who works in food service and thus could almost never participate in our more regular gatherings. This was easy for us because, as you might have expected by now, we got all that hardware via donations (or the literal trash, in the case of the monitor) in the first place. Apart from an aging phone, this refurbished RPi is the only CPU that this person has, so being able to access the Internet from something other than a mobile device is a pretty big deal for them. I hope they pick up some of the more educational software on the Raspbian Desktop build but that is bluntly up to them because we are not policing their activity or auditing their worthiness. We are not cops. :)
  • Personally, I encourage folks I mentor to stay far from coding bootcamps, tech meetups, and other mainstream and even well-intentioned tech industry spaces, because I think their chances of learning things, not to mention just having quality, healthy educational experiences relating to computer systems or programming generally, is far lower in such spaces than it is in the kind of space we have managed to build over the past two years. I think they are a waste of time and sometimes money for most people most of the time. This is not a unanimous belief in this particular circle but my adamance has proven to be both influential and I dare say remarkably fruitful. Ironically, one person I mentored closely who had no tech experience to speak of actually did get a tech job (an entry level SRE position) after only about 10 months of regular attendance—meanwhile, other folks we know who took the code bootcamp route are still job hunting—and I have mixed feelings about all that. At least the company they were hired by is a registered non-profit and they like their new job way more than their old one, so that’s good. Anyways, all that is another story entirely.

So I guess, I would say that you are unlikely to benefit from any of this directly (for many reasons; only one of them is that I’d probably expel you from a session I was running, TBH), but many others, particularly those who are gender non-conforming, femme, very very very far Left-leaning politically, and/or feel themselves to be “outsiders” from “the tech world” have already benefited, including a handful of RC’s friends-of-friends. Finding a technically competent space where we are comfortable learning and exploring together is sadly rare and worth protecting, which often means not inviting the people who we feel would diminish the benefits of the space for us. To be blunt, yes, this does mean not opening our space to many Recursers.

For some of us, ours is the only comfortable space that is accessible, and so I am thrilled to see it thirst for additional hardware resources as it continues to grow and as the people involved flex their skills and gain confidence to try doing things they did not think they would ever do or even knew was a thing that could be done before. Like, say, build a RAID array with donated disk drives.

Given the consistently and predictably disappointing behavior of the overwhelming majority of veteran techies, I am also very confident that spaces like this will continue to feel very important to those of us involved in them. :)

So, yeah. Right now, 1 TB or 2 TB hard drives are the thing we want most, but as mentioned in my original post, old Wi-Fi routers and spare computer parts, SBCs of any sort, etc. are all great. Anything you don’t want (and are actually motivated by a desire to relinquish) that we can use, we will gladly accept.

Hopefully that clears things up. :) If not, ¯\_(ツ)_/¯ that’s all I got for you.

Sumana Harihareswara – F’13, posted on Feb 04:

On 2/4/19 5:36 AM, may may wrote:

I’d probably expel you from a session I was running, TBH

may may, I’m quoting perhaps the most adversarial thing you say in your reply, but overall, I think you are arguing where you could engage (I infer that’s a deliberate choice, but I’m noting it in case it’s not), and you miss legitimate reasons that folks exercise a modicum of judgment regarding where we choose to put our voluntary labor and give away stuff.

I totally understand your thinking that, once I give someone a gift, that gift is theirs to do with as they like. I am on board with that. And I further am on board with the reasoning that some people have a bunch of excess electronic stuff and have literally ZERO interest in where it goes so long as it gets out of their homes, so for those people, once you’ve said “gimme” they don’t need any more info.

But — at least in NYC — I have an option for where I put excess electronics that are in my home that I just do not want to bother with at all. I get paper mail from the Department of Sanitation about their disposal events a few times a year. I can box up my stuff and give it to them. When I choose NOT to do that and to try to give it to someone else, I’m usually doing that because I’m attempting to increase the likelihood that the stuff will be used for some at least nebulously world-improving thing, and — this is key! — that it is less likely to be literally thrown into a landfill, leach chemicals into soil, etc. etc. I recognize that this kind of judgment reads as condescending to you. To me this is part of being responsible with power.

Sorry, but I can give you no such guarantee, nor would I even if I could. For one thing, beyond the details I gave in my original post, I do not actually know what will happen. For another, I do not think it should matter. Are we going to use donated hardware to build a terrorist datacenter? Will your discarded HDD be filled with porn and torrents? Maybe! :D Or maybe not! Let’s find out.

No one is asking anyone else to predict the future here; we are asking what future you are attempting to make. Which you answer elsewhere in the email! So thank you for that.

I think by this point you’ve made your point of view clear so that people who want to know “what’s a non-Department of Sanitation option for disposing of my excess electronics?” can assess the option you’ve offered.

Sidney San Martín – W’ 12, posted on Feb 04, 2019:

+1 to every detail of @Sumana Harihareswara‘s comment!

For one thing, beyond the details I gave in my original post, I do not actually know what will happen. For another, I do not think it should matter.

Disappointing fates for my hardware (immediately after donation — down the road is none of my business) include:

  • You sell the donated hardware and keep the proceeds, but told me I was donating to a community center.
  • Your space is actually a monetized YouTube channel about destroying donated hardware in creative ways, and the proceeds fund a startup that uses ML to customize marketing email.
  • You encourage people to practice digital forensics skills on un-wiped devices instead of erasing them as promised.

Trustworthiness has to do with whether I think you’re empowering me to decide versus saying what I want to hear. (EDIT: I think it’s reasonable for me to want to audit your immediate intentions, but not the long-term fate of the hardware.)

The lack of detail bothered me because the unstated message to the community is (slightly exaggerated), “If I say too much, you might come and ruin my space, and if I say that, you might not want to donate, therefore I’ll say neither.”

do you actually have hardware you’d like to not-have in the near future or is this just a hypothetical inquiry into my “indicators of trustworthiness” for you?

Yes, I have a bunch.

I have to run off to a job where I ask similar questions about the fate of my work but, for the moment, thanks for sharing the extra context.

may may – F2’16, posted on Feb 04, 2019:

I think you are arguing where you could engage (I infer that’s a deliberate choice, but I’m noting it in case it’s not),

No, it is. To be quite blunt, this thread is a perfect illustration of why I stopped showing up to my RC batch half-way through and why you only see me pop up once about every two years to ask if any of you fine, skilled folks have any electronic garbage you’d like to give me for my various nebulous world-improving projects.

I recognize that this kind of judgment reads as condescending to you.

There are quite a lot of things that read as condescending to me coming from one Recurser to another, things that I suppose seem quite acceptable and normal to you, but taking a look around at exactly where I am and remembering I’d rather live a life free of most of the behaviors displayed in this thread, I’ll just leave it at that, return to my little community lab with its very different culture, and trust my position is now clear enough that you know where I stand on such things. :)

Perhaps I will post again in another two years to see if any of you have any spare mobile phones you’re trying to get rid of. Until then, I am sure you will remain comfortable and employed and in possession of more hardware than you use.

Also, Sidney, yes, I am totally running a get rich quick scheme from surplus RC donations and I am making bank. It’s astonishing no one has noticed until now.

Sidney San Martín – W’ 12, posted on Feb 04, 2019:

Hmm. There’s some miscommunication of intent in this thread. I don’t think you’re running a “get rich quick” scheme. I used that example alongside running a monetized YouTube channel because both seem unlikely for you. You said that the fate of donated electronics shouldn’t matter, and I was trying to communicate how the way they arrive at that fate matters to me (i.e. if I’m being lied to), not cast specific doubts/judgement on you. I feel like you’ve judged my motives based on wrong assumptions about me.

Based on your previous message, I support how you want to use donations. I was still into donating. Hell, I might still be into donating, I have thick skin in this area.

What you read as condescension, I understood as someone trying to non-judgmentally introduce the possibility that other humans might have their own ways of making decisions, and that if they don’t default to agreeing with you, it’s a chance for communication; it doesn’t mean that you’re ideological foes.

My own first message essentially said, “If you’re going to tell people why their established sinks for unwanted electronics ‘just won’t do’ because they’re inconsistent with your ideals, please be open to talking about why your sink for unwanted electronics might ‘do’ for their/my ideals.” I’d appreciate it if you could re-read the messages above with the assumption that we’re all on the same side.

may may – F2’16, posted on Feb 04, 2019:

Hell, I might still be into donating

When you figure that out, feel free to let me know.

David Albert – Faculty posted on Feb 05:

Hi everyone,

This thread has become unnecessarily mean-spirited and personal. Please
don’t post in it any more. If you have equipment that you’d like to donate
to may may’s lab, you can get in touch with them off-list.

The RC community only works when we trust each other. As the community
continues to grow, trust becomes more important and takes more effort to
build. Please act with good intention, assume good intentions on the part
of others, and don’t engage in personal attacks. Please also consider your
audience: there are a lot of people on this list.

[REDACTED] posted on Feb 05:

I didn’t read this exchange as mean-spirited and personal, but anyway I
hope this is nice-spirited and impersonal enough that you’ll all forgive me
for posting after being asked not to.

From 2017:

may may – F2’16, posted on Aug 07 2017:

Hi all,

I’m in touch with a small, new community/social center in the city that’s trying to assemble their first computer lab. They currently have some space for this effort, but no funds, and so asked me if I knew of any places where they can acquire donated hardware. Sadly, in NYC, I don’t. (Do you? Enlighten me!)

The hardware itself need not be in mint condition. It just has to work well-enough that a few moderately experienced tinkerers can use it for something—and not necessarily something “powerful.” All kinds of hardware was requested: old drives, cabling, adapters, modems, routers, power supplies, peripherals, repair tools, even things like locks (they specifically said locks don’t have to have a key to be useful). Basically, anything you have but don’t want that you hope resourceful people could put to good use. :)

So, for instance, if your workplace (or if the workplace of a friend of yours) throws away old computing equipment when they upgrade, I can probably find a good home for those items. Hit me up!

Thanks,
-m

[REDACTED] – posted on Aug 08 2017:

I donate all of my old electronics to https://www.lesecologycenter.org/. I know they refurbish and resell some electronics, and others they donate, but I don’t know how you become a recipient of the goods. Might be worth reaching out to them.

may may – F2’16, posted on Aug 07 2017:

Thanks for the suggestion, @[REDACTED]. I reached out to them, but unfortunately the LES Ecology Center and its Gowanus E-Waste Warehouse require a signed W-9 form and an IRS letter before they will give away anything they hold. This is not the kind of “donation” I was hoping to find. That approach simply requires too much capital investment, i.e., it is too high a bar to jump (not to mention far too much cooperation with capitalist structures and thus completely unworkable for all kinds of reasons far beyond mere money) to be a useful avenue for us to pursue.

What I am hoping to find is someone or several someones who no longer need electronics and want to get rid of them (as often happens at office workplaces). I know this is a common occurrence in a community as affluent as RC. After such equipment is donated to LES Ecology Center or an equivalent organization, it becomes subsumed by capitalist gears and is thus inaccessible for all the reasons stated above. That simply won’t do.

So, if you or anyone you know is getting rid of electronics, please consider letting your human friends (or me) know about that, before you donate to an institution that cooperates with the State.

Thanks!
-m

The day after I posted my farewell email, I received this email from the RC faculty.

Hi may may,

In your Community post last night, you said that you would not commit to changing your behavior and abiding by the RC code of conduct. Because of this, we’ve removed you from the RC community.

This means your Zulip, Community, and recurse.com accounts are now deactivated and you’ll no longer have access to the RC GitHub organization. You also won’t be welcome in the RC space or at future RC events.

Yours,
Dave

As is typical for these sorts of situations with these sorts of people, questions like “What is upsetting you?” were never asked of anyone involved. I think that’s disappointing and fundamentally inhumane.

The Penniless Recursers’ Survival Guide

As I no longer have access to the private discussion and collaboration spaces hosted by the Recurse Center, published here is one page from their internal Wiki that I authored. It is presented in its original Markdown format.

> [[Wiki|Home]] ▸ [[Guides and advice]] ▸ **Penniless Recursers' Survival Guide**

First off, we're thrilled you've chosen to participate in a batch at the Recurse Center! Coming to New York City can feel daunting for many people, but it's likely to feel even scarier if one cannot dedicate a large budget for such a trip. This page is devoted to **resources and suggestions that we hope will help people with little to no money thrive in New York City**.

Jump to a section:

* [Shelter](#shelter)
    * [Couch-surfing](#couch-surfing)
    * [House- and pet-sitting](#house--and-pet-sitting)
* [Food](#food)
    * [Food under $3](#food-under-3)
    * [Food from $3 to $5](#food-from-3-to-5)
    * [Pricier but sizeable](#pricier-but-sizeable)
    * [Drinks](#drinks)
* [Transportation](#transportation)
    * [Walking](#walking)
    * [Public/mass transit](#publicmass-transit)
    * [Bicycling](#bicycling)
* [Socializing](#socializing)
    * [Free events](#free-events)
        * [Free food events](#free-food-events)
            * [Sundays](#sundays)
            * [Mondays](#mondays)
        * [Free arts events](#free-arts-events)
        * [Free exercise events](#free-exercise-events)
    * [Pricier but noteworthy](#pricier-but-noteworthy)
    * [Other event listings](#other-event-listings)
* [Acquiring stuff](#acquiring-stuff)
* [Privacy](#privacy)

# Shelter

Finding shelter in NYC is rough. The housing market here is one of the most competitive in the world. The Recurse Center staff know this and have helpfully provided a [Housing forum](https://community.recurse.com/f/housing/12) on RC's internal bulletin board system, *Community*. If you don't have access to that, you will soon.

Nevertheless, be prepared for the fact that **most people's idea of "alternative" housing is probably not your idea of "alternative."** The Housing forum on Community is primarily a place to find roommates or relatively inexpensive sublets; it's likely that most of these will be well beyond your budget. "Cheap" housing in NYC ranges from $600 a month and higher. Most AirBnB prices within reasonable distance to Manhattan are even worse.

**Couch-surfing, house- or pet-sitting, and stealth urban camping are your most realistic options.** The good news is that these are relatively plentiful.

## Couch-surfing

You can post some couch-surfing requests to the Housing forum in Community. Recursers are generally kind, generous, hospitable people! :) That said, you would be remiss not to make use of the following resources, as well:

* [Couchsurfing stream on Zulip](https://recurse.zulipchat.com/#narrow/stream/couchsurfing)

  A stream on Zulip (RC's internal chat system; again, you'll get access to this soon if you don't already have it) for posting couchsurfing requests!

* [CouchSurfing.com](https://couchsurfing.com/)

  One of the earliest and largest travel hospitality social networks on the Web. Make an account, if you haven't already, it's free.

* [WarmShowers.org](https://www.warmshowers.org/)

  Like CouchSurfing, above, but created specifically for bicyclists. If you're a cyclist, even if you have no plans to cycle through NYC, consider making an account here. It will be easier to find a host given that you can represent yourself as part of a community-of-interest.

> 💡 After your batch, if you travel abroad, be sure to check out the [[Couch surfing]] page on this wiki to see if you're going somewhere that an RC alumn can host you! :)

## House- and pet-sitting

Many residents of New York City travel frequently, especially Recurse Center alumni. This means you will have more opportunities to house- and/or pet-sit for "friends of friends" than you might otherwise have. 

🚧 TK-TODO

# Food

It's likely that **food in New York City is an order of magnitude more expensive** than you're used to. **DO. NOT. UNDERESTIMATE. THIS.** This applies to supermarkets, bodegas, and groceries, as well as cafés, restaurants, and even a number of fast food chains. If you do have a budget for food, triple it if you can. In addition to the increased cost of groceries, be mindful of the fact that you are likely to have less time/emotional/mental resources on which to spend preparing food yourself, due to the constant bustling atmosphere of events both in the city and at Recurse Center itself. This means you are likely to eat take-out/delivery more often than you might otherwise, despite your best efforts. In case you do find the time to cook, [Good and Cheap](https://cookbooks.leannebrown.com/good-and-cheap.pdf) is a nice guide to eating well on a budget in the US. 

**Skipping/dumpster diving** can be trickier due to the density of the population and the longer hours of most establishments. This is especially true if you are accustomed to a more suburban diving setting. Skipping is also illegal here and there is a near-constant presence of police on patrol in most parts of lower Manhattan. (The outer boroughs are more varied in terms of their dumpster diving options and police presence.) That said, any trash bin or bag left near the street (as opposed to immediately next to a building or behind a fenced enclosure on the sidewalk) are [considered public domain](https://freegan.info/what-is-a-freegan/freegan-practices/urban-foraging/diving-and-the-law/) and can be taken. Of possible use is the [FallingFruit.org/dumpsters](http://fallingfruit.org/dumpsters) map, and the [Freegan.Info Manhattan](https://freegan.info/freegan-directories/dumpster-directory/manhattan/) and [Brooklyn Dumpster Directories](https://freegan.info/freegan-directories/dumpster-directory/brooklyn/).

If you are on **SNAP/EBT/Food Stamps**, you will be able to use them, even if you are from out-of-State. However, **many small shops do not accept EBT**. This includes corner bodegas, delis, and combination grocery store/eateries. Even fewer shops in the immediate vicinity of the Recurse Center's 455 Broadway location accept EBT, due to the classism^H^H^H dynamics of the SoHo and surrounding neighborhoods. Use the [SNAP Retailer Locator](http://www.fns.usda.gov/snap/retailerlocator) provided by the United States Department of Agriculture to locate nearby grocers where you can pay for food with your EBT card.

**Food banks/[food pantries/soup kitchens](http://www1.nyc.gov/nyc-resources/service/1083/find-a-food-pantry-or-soup-kitchen)** may also be an option for acquiring food, especially if you have access to a kitchen at your place of shelter. New York City's municipal government maintains [a directory of food pantries searchable by location](http://www1.nyc.gov/apps/311utils/providerInformation.htm?serviceId=1083). There are also informal networks of food donations that operate like food pantries; attend some [§ Free food events](#free-food-events) to start making relationships with these groups.

**The Recurse Center [[kitchen]] does not have a stove,** but there is a microwave and a small toaster oven. This means you will be unable to prepare most hot foods in the space itself, but you will be able to reheat leftovers or toast sandwiches easily. Especially for winter batches, consider cooking soups and stews at your place of shelter (if you have one—see the [#Shelter](#shelter) section for advice, tips, and warnings regarding surviving in NYC while unsheltered) and reheating them for lunch or dinner at RC. Moreover, many people find themselves wanting to arrive early and/or stay late at the Recurse Center's open-space office, and doing this means you will have even less time to actually cook food for which you need a stove.

**Communal food shelves** in the Recurse Center's kitchen are often stocked with coffee, creamers, condiments, and sometimes crackers or light snacks. Feel free to have these! Foods and drinks in the kitchen marked with a name (on a sticky note, piece of tape, or written on a label), belongs to their owner, of course. (That said, be mindful of your personal caffeination threshold! :)

Recursers are generally open to participate in **informal group food preparation** events, such as [Abstract Salad Factory Friday](https://recurse.zulipchat.com/#narrow/stream/food/topic/Abstract.20Salad.20Factory.20Friday!) (a sort of less manipulative salad version of [stone soup](https://en.wikipedia.org/wiki/Stone_Soup) style cooking) in order to promote healthy eating and lower one another's food costs, as it's often much cheaper to prepare food for a group of people together than to do so for one. Get in on these if they're happening during your batch. If not, be bold and revive these traditions! You'll be thanked for doing so.

**Be wary of corporate-branded events** advertising low-cost food. These events often make their way into lists of "free/fun things to do in NYC" (see [#Socializing](#socializing) for details), but are unlikely to work out well for a combination of reasons (prohibitively long waits—consider reading the [#Time management](#time-management) section for details—or simply a lack of supply, etc). Sadly, this sometimes even includes events marketed as "anti-hunger initiatives." :(

That being said, the following sections list specific venues where you can get relatively inexpensive meals. See also the [Free food events](#free-food-events) section for even more options. Cross-reference this with info on the [[Vegan and vegan friendly spots]] page if you have certain dietary restrictions. (Though now partly outdated, there's also [a thread on *Community* about cheap eats near RC](https://community.recurse.com/t/cheap-eats/31).)

## Food under $3

* [Jin Mei Dumpling House 津美锅贴](https://www.yelp.com/biz/jin-mei-dumpling-house-津美锅贴-new-york)

  Northern Chinese dumpling and sandwich parlor (the staff are from Tiānjīn 天津). Various kinds of dumplings fried (5/$1), in soup (6/$2 and up), frozen (30/$5). Beef sandwiches ("sesame pancake with beef", $2). There's a picture of the menu on the window [here](https://s3-media2.fl.yelpcdn.com/bphoto/xDkJNF54YHp69OqWHjOl1g/o.jpg)

* [Joey Pepperoni's Pizza](https://www.yelp.com/biz/joeys-pepperoni-pizza-new-york-3)

  Regular cheese slice is $1. "Lunch special" is $2.75 and includes two cheese slices and a can of Pepsi. It's pretty bland, but it's cheap.

* [Golden Steamer](https://www.yelp.com/biz/golden-steamer-new-york)

  Buns. You can get a big bun and a small bun in $2. I usually take a big bun and a roasted pork bun and they are more than sufficient for me.

* [Fried Dumpling](https://www.google.com/search?q=fried+dumpling+menu&oq=fried+dumpling+menu&aqs=chrome..69i57j0l3.4402j0j4&sourceid=chrome&ie=UTF-8): $1 for 5 fried pork buns or 5 fried dumplings

## Food from $3 to $5

* [Mei Yu Spring Restaurant 美如春](https://www.yelp.com/biz/mei-yu-spring-new-york)

  Fúzhōu _miànshí_ 麵食 [dough-based foods]. Most soups under $5; dumplings fried 5/$1.50, in soup 8/$3 and up; diverse southern-style buns. Menu visible [here](https://s3-media3.fl.yelpcdn.com/bphoto/PuOe7xiFy31qVh7lP69gjA/o.jpg). Good preparations of some unusual Fúzhōu standards like "Fuzhou Meat Ball Noodle Soup" (_yànwán tāngmiàn_ 燕丸湯麵; the skins of the "meat balls" are made of thin-pounded pork, not wheat), noodles in peanut-butter sauce ("Stir Noodle", _bànmiàn_ 拌面), tiny but strongly flavored wontons in soup ("Fuzhou Wonton Soup" _biǎnròu_ 扁肉).

* [Jubilee Marketplace](https://maps.google.com/?cid=13119853229355687346) sells egg and cheese breakfast bagel sandwiches for $3.75.

* [Vanessa's Dumpling House](https://www.yelp.com/biz/vanessas-dumpling-house-new-york-2)

  4 dumplings will set you back $1.75, but you usually need at least 8 to make a meal, bringing your total to $3.50. They're all great. Get what you want.

* [Champion Pizza](https://www.yelp.com/menu/champion-pizza-new-york-6)

  Slices are $2 here, good for a snack or a small lunch. Drinks are overpriced; bring your own water bottle.

* [Fu Zhou Cuisine](https://www.yelp.com/biz/shu-jiao-fu-zhou-cuisine-restaurant-new-york)

  Cheaper than Vanessa's, not as inviting, but also arguably tastier, steamed dumplings here cost $2 for 6, $3 for 10. If you eat a lot, this might be a better option. A common combo here is 10 dumplings + wheat noodles with peanut butter sauce for $3 + $2.

* [Wah Fung](https://www.yelp.com/biz/wah-fung-no-1-fast-food-new-york-2)

  $3.50 for a bunch of greasy chicken/pork and rice/noodles. Should fill you up quite a bit, and if you spend a bit more you can get a larger portion which should last a couple of days if not more. Cash only.

* [Canal Cafe Bakery Inc.](https://www.yelp.com/biz/canal-bakery-new-york)

  Very similar food and price to Wah Fung ($3.50 - 4ish). But you can also buy sugary pastries here and the customer line moves more quickly than Wah Fung at peak times. Cash only.

* [King's Kitchen](https://www.yelp.com/biz/kings-kitchen-new-york-2)

  Standard Chinese restaurant and a bit far from RC (there's probably similar places closer), but I know this place very well. $4-5 should get you a very filling bowl of noodles and pork/chicken or a lot of fried rice. Cash only.

* [Punjabi Grocery & Deli](https://goo.gl/maps/wNxq193HBDk)

  Large portions of very cheap and tasty curries. Vegetarian.

* [Mamoun's](https://www.google.com/maps/place/Mamoun's,+119+Macdougal+St,+New+York,+NY+10012/@40.7302678,-74.0004169,13z/data=!4m2!3m1!1s0x89c25991817682af:0xb8bb91865f939e8c?hl=en)
  $3.50 falafel, $4 if you want to add tabbouleh or hummus

## Pricier but sizeable

These venues range above $5 but tend to provide more sizeable portions. You may be able to stretch one purchase across two meals.

* [Bahn Mi Saigon](https://www.yelp.com/biz/banh-mi-saigon-new-york) $5 for a pork sandwich

* Halal food carts (on basically every corner near RC)

## Drinks

* The McDonald's nearby has Small, Medium, and Large coffee for $1 (all sizes cost the same). It's passable/decent.

* There is a coffee cart in the morning near [the Canal Street [A], [C], [E] station](https://www.google.com/maps/place/Canal+St/@40.7207122,-73.9993768,16z/data=!4m5!3m4!1s0x89c2598adc3342c9:0x4e7d4c005c794a91!8m2!3d40.7208241!4d-74.0052286) with coffee and pastries for ~$1-$1.50 each.

# Transportation

Getting around New York City can be confusing at first, but is remarkably easy and fast when compared to other large cities in the United States. Depending on where in the city you're staying, however, getting around can take up a lot of time in your day.

## Walking

**Walking, although not the fastest, is one of the cheapest ways of getting around!** It's also safe, and healthy, of course! The Recurse Center is located in downtown Manhattan (in the "SoHo" neighborhood), but the city itself stretches many miles North, East, and South (with the Hudson River to the West), so unless one is crashing nearby, this walk can get pretty long. Prepare for a march and wear good shoes if you have them! See also the [#Privacy](#privacy) section advice on dealing with NYC's incredibly hectic sidewalks, which can be overwhelming and stressful if you're unused to them.

## Public/mass transit

The [New York City Metropolitan Transit Authority](http://www.mta.info/) (the NYC MTA, or just MTA, for short) is a single municipal agency that runs all of the city's public buses and trains. New York City calls its trains "the Subway," even when the trains are above-ground, so look for signs that call out "Subway" if you're relying on analogue navigation. You might also hear people refer to the trains as "the Metro," but this is usually a pretty good sign that they are out-of-towners.

**Cash cannot be used to purchase fares when entering buses or train stations.** The only way to pay for these rides is to acquire a MetroCard from specially-marked MetroCard vending machines in Subway stations. MetroCard vending machines, however, do take cash. They also accept credit and some debit cards. See the [[Advice for foreigners coming to NY]] page for cautions and advice on getting a card that will work in NYC.

**Each bus and train ride costs $2.75 per trip if purchased ahead of time, or $3.00 for a single-ride pass, and this will add up fast.** Thankfully, you can buy "unlimited ride" MetroCards that let you hop on and off as many buses or trains as you wish until the card expires. These are available in 7-day or 30-day varieties. If you have a budget for transportation and are not staying within walking distance to the Recurse Center, *seriously consider purchasing one of these unlimited ride cards,* as they increasingly become more valuable the more frequently you use public transit services. Another benefit of these cards is that they are fixed-rate, so they may be easier to budget for. See [the NYC MTA's fares page](http://web.mta.info/nyct/fare/FaresatAGlance.htm) for the most up-to-date information about public transit fare costs.

**Do not trash MetroCards you have purchased, as each physical card costs $1 on top of fare costs to acquire.** Keep your old cards and reuse them. You can refill MetroCards by adding money to them or by extending their expiration dates for unlimited ride varieties.

#SwipeItForward: It's legal!

Sometimes people will ask for a spare "swipe" from those with monthly passes. This is *illegal*, and can lead to fines or court summons if you're caught by a transit cop or MTA employee; *even asking for a spare swipe* can get you into trouble. However, if you have an unlimited ride MetroCard, [it is *legal* to swipe someone else in](https://web.archive.org/web/20160803160753/http://web.mta.info/metrocard/termsunltd.htm). It is possible (and illegal) to skip the fare and jump the turnstile or enter through the emergency exit doors by tailgating through one before it closes. Be warned, this is considered Fare Evasion and could get you fined $100, and even jail time. Surveillance in NYC Subway stations (via cameras, random police patrols, and dedicated MTA security staff) is also *extremely aggressive* in comparison to many other places you may be used to, so consider these risks before making a decision.

New York City's public/mass transit system is *exceptionally* dense. If this is your first time in NYC, pay special attention to what bus or train you're getting on, regardless of the stop you're waiting at. A sizeable percentage of bus stops and train stations in NYC are transfer points across different routes. This means that taking the wrong route can easily send you in the wrong direction. This is double true because NYC's public transportation network serves far and wide in New York; there's almost no part of the city the public transit options don't reach, so you can accidentally find yourself very far afield of your intended destination if you're not careful. 

The cross-State public transit system that connects New York City to New Jersey is called the PATH. You can pay with a MetroCard (same as the NYC subway), as long as it is not an unlimited MetroCard. The [price per trip is $2.75](http://www.panynj.gov/path/fares.html) in the PATH (same as the Subway), but they are separate systems so you have to pay again when switching from PATH to subway or vice versa. **If you're staying in Jersey City** and taking the PATH on a daily basis, it makes sense to get a PATH-specific SmartLink card, which is slightly cheaper per trip than paying with a MetroCard.

## Bicycling

Once obtained (along with a helmet and lock, or two locks), a bicycle can be a very inexpensive way to move about the city. There are [bike paths](http://www.nycbikemaps.com/maps/nyc-bike-map/) for getting nearly anywhere, many of which are relatively safe (considering the hectic mess that is New York traffic). To avoid the worst of the road, it's recommended to ride during off hours, before 8 am or after 7 pm.

It's useful to note that one can take a bike on the subway at any given time, in a pinch.

For fixing bikes there are a few different co-ops and community workshops [around](http://times-up.org/index.php?page=bike-co-op/) the [city](http://bikecoop.nyc/) (often with a politically oriented vibe) which will help supply tools and expertise for maintaining a working transportation machine.


# Time management

> 🚧 TK-TODO: This section could use some tender lovin' care. Just a braindump for now.

* Many tech meetups/events offer free food. It can be very tempting to attend these to snag meals and leftovers. Don't feel bad about doing this, but also don't overdo it. Try not to attend events *just* for the free food. (This can be a hard balance to strike.)

# Socializing

New York City is simultaneously a very diverse and yet extremely divided city. This can feel especially pronounced when it comes to social events and outings, where many activities have an admission fee, cover, or drink minimum associated with them. Even going to bars can be stressful if, for instance, you're the only one who can't afford a drink. However, there are also *many* free or low-cost events to go to that are (by some people's accounts) even more fun! Here are some suggestions of regularly repeating or semi-regular events:

## Free events

### Free food events

#### Sundays

* [Food Not Bombs in New York](http://foodnotbombs.net/new_site/map/newyork.html)

  There is a large, active Food Not Bombs (FNB) chapter in New York City that serves free meals to hungry people in [Tompkins Square Park](https://en.wikipedia.org/wiki/Tompkins_Square_Park) each Sunday at 4:30pm. You can simply arrive and be served, or if you wish you can also help serve food to others as well. Help with serving, cleanup, and even cooking is *always* appreciated. Ask a volunteer at mealtime for details about getting more involved. :)

#### Mondays

* [Kitchen Collective Community Dinner](https://maydayspace.org/events/)

  Mayday Space in Brooklyn (~30min on the [J] or [M] trains from the Recurse Center) hosts communal dinners each Monday. Arrive at 5:30pm to help cook, and stay for the meal you helped prepare. Invitations are often posted on [Mayday Space's Facebook page](https://www.facebook.com/MaydaySpace/), too.

### Free arts events

* Many museums in New York City charge pay-what-you-wish admission, including the Metropolitan Museum of Art and the Museum of Natural History. This isn't always obvious at the admissions desk, but at anywhere that has a "Suggested Donation" note you can tell them how much you'd like to pay for a ticket. [Here's a full list of those museums.](http://www.nyc-arts.org/collections/35/free-museum-days-or-pay-what-you-wish)

* If you're at RC during the summer months, check out [Shakespeare in the Park](http://publictheater.org/en/Free-Shakespeare-in-the-Park/)! You have to enter a ticket lottery or wait on line in Central Park for a long time, but the shows are great.

* [Jalopy Theater](https://www.jalopy.biz/) in Red Hook has great free* live music shows (most of the acts play some kind of wonderful, weird, folk music) every Wednesday night starting at 9 pm. They also sell drinks at the venue, which are cheaper than usual NYC prices (beers are about $4 each). *They do pass a donation basket around at the end of each act.

### Free exercise events

* [The Bryant Park Jugglers](http://www.bryantpark.org/plan-your-visit/juggling.html) offer free juggling lessons to drop-ins or regulars. If you've never tried this before, you might be surprised at the intensity of the workout practicing to juggle can offer! (See also [JuggleNYC.com's Local Clubs page](http://www.jugglenyc.com/Local_Clubs) for a thorough listing of NYC-based juggling and circus arts groups. Many are free and meet regularly.)
* [Yoga to the People](http://yogatothepeople.com/new-york/) (donation based; if you don't have a mat it's $2 to rent)
* [November Project](https://www.strava.com/clubs/november-project-nyc-119741) Free fitness group that meets in the early mornings in a few different spots around NYC.

Additionally, [The Skint's list of free fitness classes](https://theskint.com/free-fitness-classes/) is a well-maintained resource, as well.

## Events under $5

* 🚧 TK-TODO

## Pricier but noteworthy

* [Harold Night (Improv theater) at the Upright Citizens Brigade](https://chelsea.ucbtheatre.com/show/5)

  For $6, you can reserve a ticket to an hour-and-a-half long improv show featuring three teams of (student) comics. This can be a fantastic way to take a break from a hard week's coding. **Tickets usually sell out four to five days in advance.**

## Other event listings

There are numerous places to look for free/low-cost events in the New York City area. If you're craving some social time outside of RC, consider browsing these sources:

* [Fun Things To Do In NYC Today](https://www.meetup.com/funthingstodoinnyctoday/)
* [The Skint: Free and Cheap New York](https://theskint.com/)
* [Bluestockings Activist Center and Café](http://bluestockings.com), a mere 20 minute walk from Recurse Center, regularly hosts free events ranging from book signings, short film screenings, discussion groups, and more on a range of topics, often with free refreshments. Consider subscribing to [Bluestockings's online calendar](http://bluestockings.com/calendar/) feed! :)
* [The LGBT Center's online calendar](https://gaycenter.org/calendar) has a dizzying assortment of free or low-cost events relating to [QUILTBAG](https://en.wiktionary.org/wiki/QUILTBAG)+ issues. Be mindful that some events on this calendar are intended to be safer spaces; you should contact the listed organizer before RSVP'ing to a given event if you are interested in it but unsure if the event is open to you.
* [The New York Public Library](https://www.nypl.org/events) boasts of more than "93,000 free programs a year across its 92 locations." Have a look! :)
* [Anarchism.NYC](http://anarchism.nyc/) is a simple calendar aggregator that lists numerous "Anarchist-ish events" from several different sources. As one might expect, nearly every event on this calendar has a certain political orientation and runs a gamut of topics from discussion groups to social justice organizing and beyond.

# Acquiring stuff

Many of us have grown accustomed to acquiring physical materials such as clothing, fashion accessories, or small household items from "free boxes" on sidewalks, yard sales, and similar give aways or hand-me-downs. Unfortunately, the ever-bustling nature of New York City makes these hard to come by. Anything that is left on the sidewalk is typically claimed or trashed remarkably quickly. Thankfully, there are many regional Internet-powered analogues to these informal gift economies:

* [/r/freebies](https://reddit.com/r/freebies) and [/r/efreebies](https://reddit.com/r/efreebies) have a ton of free stuff. /r/freebies, in particular, sometimes has free food, transportation, or groceries.
* [New York City Freecycle](https://trashnothing.com/new-york-city-freecycle) is a literal cyber bazaar where you can find an incredible miscellany of items in various conditions, all totally free.

## Deals and discounts on stuff

> 🚧 TK-TODO: EDITOR'S NOTE: This section might benefit from a different way of being organized, but it's small enough that this works for now. If you feel this is growing too large or like it's becoming a "miscellaneous" section, consider taking a moment to break it apart into more topical subsections.

* **If you have a `.edu` email address,**
  * you can get the [Github Student Developer Pack](https://education.github.com/pack) which includes free hosting, private repos, free domains and other things.
  * [Amazon Prime](https://www.amazon.com/gp/student/signup/info) has a free 6 month trial for students, which includes two-day shipping, music and legal movie streaming.

# Privacy

Having space and time to oneself can be difficult to find in New York City, and this is especially true if one is not wealthy. (For the inverse situation, see the [#Socializing](#socializing) section.) Even a simple walk down a New York City sidewalk can be a stressful experience requiring you to navigate a gauntlet of obstacles: other people, cars, loud noises, bright lights, and many other objects moving at various speeds. For those of us who have spent a significant time by ourselves or in otherwise secluded environments, this constant stimulus and extreme proximity to other humans can feel particularly overwhelming.

Some couch-surfing hosts will provide you with your own guest room, but this is exceedingly rare in NYC. Even if they do, couchsurfing often comes with an implicit expectation of being at least somewhat social in order to "be a good guest." That can be especially draining after spending your days at an extremely social space such as Recurse Center. House-sitting or pet-sitting is particularly helpful here, as it gives you at least some time to have your own space. (See the [#Shelter](#shelter) section to read advice about finding house/pet-sitting or couch surfing opportunities.)

**The Recurse Center's 455 Broadway location is very sparsely filled on Sundays,** making it a good place to come if you're seeking a reprieve from the city. While technically open to all RC community members, it's generally near-empty for most of each Sunday. In contrast, Saturdays tend to be much busier. There is a constant, much louder hum of activity on weekdays as well as weeknights.

If you have nowhere else to turn, there are some other tricks to finding a quiet place to think, write, work, or sleep in New York City.

For example, **many of [Columbia University's Morningside Heights on-campus classroom buildings (PDF)](https://web.archive.org/web/20161009182725/http://www.columbia.edu/files/columbia/content/morningsidemap_2015aug.pdf) are usually empty and unlocked during the day**. You can simply walk into the building, find an empty lecture room, and read a book or work on your laptop. This is even easier if you can pass as a college student. You may be asked to move from one room to another if a class enters, and you should probably leave at night as the buildings are swept by security guards before being locked. Unlike most NYC cafés, however, you will never be asked to leave for not making a purchase. These buildings also provide some of the cleanest (pseudo-)"public" restrooms in the city. On the other hand, there is no free Wi-Fi (for the general public) on Columbia University's campus.

Another way to find peace and quiet, particularly outside of Manhattan, is to **climb the fire escape of a short building**. These often go to rooftops, which are typically empty, especially at night. You can even spend the night here if you need to, and have brought your sleeping pad and bag along. Do check the weather forecast for rain over the evening if you plan to spend the night, though.

You can also **enter one of NYC's famously large parks and take a path slightly-less-traveled into the greenery**. Each borough has at least one of these big public parks, and they are open (or at least easy to get into) even at night. Central Park is the canonical example, but take a [look at a Google Maps/Earth satellite view](https://www.google.com/maps/place/New+York,+NY/@40.7058254,-74.1180872,49719m/data=!3m1!1e3!4m5!3m4!1s0x89c24fa5d33f083b:0xc80b8f06e177fe62!8m2!3d40.7127837!4d-74.0059413) to get a feel for more in the outer boroughs. Find a side path leading away from cement and you'll soon find some peace and quiet, at least for a few hours if not a whole night. A word of caution, though: [NYC Parks have official curfews](https://www.nycgovparks.org/rules/section-1-03), and if a cop decides to hassle you, they could slap you with a ~$100 ticket if you're in a park after 1 A.M.

***

See also: [[Mental Health Resources]]

WordPress NYC: Enterprise Features for Small Businesses Running WordPress

Earlier this week, the WordPress NYC Meetup group hosted me at their space inside the Microsoft Technology Center. I was there to present some of my recent work on “Enterprise Features for Small Businesses Running WordPress.” I had a lot of fun and really appreciated the opportunity to showcase three projects I’ve been working on recently.

You can find an archive of all recorded sessions that the organizers, Steve and Scott, of the WordPress NYC Meetup have produced at the “WPNYC TV” page on their website. Below, you can find my own presentation from their latest evening, along with a transcript and links to the original presentation materials. This includes my slide deck, presenter notes, and presentation runbook.

>> SCOTT BECKER: Maymay and I just met tonight, but I find what he does fascinating. So, instead of giving you, like, some spiel that, y’know, we’ve written up, I’m just going to read a bit about what we had here at Meetup so you know a little bit about what Maymay’s gonna talk to you about. I find it fascinating.

He’s a Free Software developer and technology consultant who—get this—works without money. Anybody else say that?

>> AUDIENCE MEMBERS: Sometimes.

[laughter]

>> MAYMAY: Good answer!

>> SCOTT BECKER: Instead of owning a home, Maymay lives on the road, traveling wherever I guess he’s needed and wanted, working to help secure and scale small businesses, non-profits, and community groups. He’s on the road and he helps people take advantage of enterprise features through easy to use and easy to understand Free and Open Source Software.

So, with that being said, maymay.

>> MAYMAY: Yeah! Thank you. Thank you so much, Scott and Steve, who I know is not here. And to Microsoft, for the space of course. So, you just introduced a little bit about me. I kinda just want to spend one moment say a little bit more about myself.

People call me “maymay,” that’s the name I prefer. This is a screenshot of my homepage at maymay.net. It’s spelled like the month of May, but twice. Um, I get DDoS’ed occasionally, so if my site’s not up right now, don’t worry about it. It’ll come back in a sec. Apologies if that’s happening, but go there to learn a little bit more about me, and about the work that I do.

In the meantime, I want to talk a bit about what we’re gonna do here. So, I talked a little bit about myself. I won’t bore you more with that. Next we’re gonna quickly spin up a new WordPress Multisite instance, so that we can show some of the demos that I want to show you. I’ll be showing you three WordPress plugins that I wrote that I think you might want to know about. That may be why you’re here. And finally, if there’s time, we can do some Q&A. Hopefully I’ll have some answers to that.

So, all right, let me go ahead and spin up a new WordPress Multisite instance. And, for this, I’m actually gonna go out of the slides, and I’m gonna go to my little demo here. Now, what I am going to do is go to this website that doesn’t yet exist, just to prove that it’s not actually there: W P N Y C dot DEMO. This website doesn’t exist, no one can get to it. It doesn’t yet exist. So we’re going to go ahead and make it!

Can y’all see that, is that big enough? That text is big? Okay.

I’m gonna be using a couple tools that I’m gonna explain in just a second. The one that I want to start with is VV. And, this is gonna basically automate creating an entire new WordPress Multisite install on my machine, and make the site available at WPNYC.DEMO.

So, I’m gonna tell VV to, hey, please create for me a domain called WPNYC.DEMO. And I want the name of this site to be WPNYCDEMO. Is that right? That’s right. And I want it to be a multisite install with a subdomain scheme. You know how WordPress can do subdirectories and subdomains? I want subdomains. I want the admin username to be admin, I want the password to be password, which I know is not a good password, but this is a demo.

>> AUDIENCE MEMBER: Password with five asterisks!

>> MAYMAY: Yeah, and an at-sign!

>> AUDIENCE MEMBER: What is this software you’re using?

>> MAYMAY: I’ll talk about the software in just a sec, I just want to kick this off.

The admin email address is gonna be admin@wpnyc.demo. I want also to remove these defaults. Y’know how sometimes when you install a new WordPress site it installs plugins like Akismet and the Hello Dolly plugin and a bunch of different themes that you almost never use? I wanna remove all those, so I don’t actually want those to be part of the final build. And I’m also going to use the debug flag here because I want to set the WP_DEBUG constant in the wp-config file. This will help me show you some of the output from some of the plugins that we’re gonna demo. Just so that we make sure that’s there.

All right, so I’m gonna go ahead and create that. And VV’s gonna ask me whether or not I want to create a site with a blueprint. I don’t. Whether I want to install a specific version of WordPress. I don’t. I’ll just use the latest version, rather. I’m not going to use any sample content so it’s gonna be totally blank, no users, no nothing. We’re not gonna import any database files. We’re not going to add sample content to any of this. And we’re gonna go ahead and start that off.

Now, VV is gonna go ahead and build me a new server and it’s going to make that site available over on the left-hand side there. And while that’s happening, we can switch back to our presentation and we can talk a little bit about the demos that I’m going to be showing you.

So, very briefly. If you don’t already know about the tools there—

>> AUDIENCE MEMBER: Where’s this site going to be set up?

>> MAYMAY: It’s setting up right on my computer here, in a development environment. And it’s going to be using these things: Virtual Box, which is a virtual machine hypervisor, a type 2 virtual machine hypervisor. That means that I’m gonna have a totally new computer, a Linux server, on my Mac here. That, is being configured using Vagrant, which is a virtual machine hypervisor automation tool. So with Vagrant commands I can tell Virtual Box how to set up that machine; what network interfaces I want, what kind of operating system I want, what kind of ports to use, all that kind of stuff. I’m also using VVV, which is the Varying Vagrant Vagrants project. This is a project originally started by the 10Up company, which is a WordPress development shop. It’s a Vagrant config specific for WordPress development. So, I’ll be using that. And, last one is Variable VV, which is the one that I used that you saw and this is the command that I was using to tell VVV how I wanted it to configure that WordPress setup.

So, all these tools are Free Software, open source. You can grab them on GitHub or these project pages. Variable VV is written by Brad Parbs, who’s an excellent developer and this tool is probably the easiest way to set up a WordPress site I’ve ever seen. I’ve contributed a number of features to it. It’s really, really nice.

Using these kinds of tools makes development a lot easier, a lot more robust, a lot more reliable, ’cause it’s all automated. It takes out human error, and it’s much faster, of course.

So, let’s—

>> AUDIENCE MEMBER: Quick question?

>> MAYMAY: Yeah?

>> AUDIENCE MEMBER: Are you familiar with Local by Flywheel? Is this similar, or are there major differences?

>> MAYMAY: I am only passingly familiar with Local by Flywheel, but if I understand correctly, they’re basically equivalent tools. Right? It’s kind of—again, I’m actually not that familiar with Local by Flywheel. I’ve heard of it. My understanding is that it sets up a development environment for WordPress. Some of you may have heard about XAMP, right? That old thing.

[laughter]

That still exists. It’s kind of like a packaged server in a box. Like an application box. This is using—uh, this is the same effect, but we have virtual machines to do it with instead of putting, like, an Apache server on your laptop. That kind of thing.

All right, so, while that’s all building, we’re here to talk about Enterprise, right? So, I’m gonna assume you all know what WordPress is, and I’m gonna assume you all know what a small businesses are, and what features are, but we’re here to talk about “Enterprise Features for Small Businesses.” So what does, “Enterprise” mean? And some of you may think you already know what this is, and that’s great. Obviously, I’m not here to tell you what to think. That is, or may be, your employer’s job. So instead, I wanna make sure we’re all on the same page by letting you know what I mean when I say “enterprise.”

So what I mean when I say “enterprise” is important capabilities for secure and private collaboration, which utilize multiple tools simultaneously, typically sold to larger corporations that have a lot of money. Right? So, in other words we’re talking about anything that has to do with process or workflow automation, anything that has to do with objectives that touch multiple disciplines at once. Tools, for example, that interoperate between multiple vendors, typically to avoid vendor lock-in so that you don’t have to be beholden to a Facebook or an Amazon or a Google for the rest of your business’s life. Any capability that’s, perhaps, perceived to be super advanced or maybe even unnecessary for small groups, like those zero-to-one employers shops, or sole proprietorships, small businesses of that kind, particularly when they’re security and privacy related. Because those are the kinds of things almost always sold as the “pro” features in add-ons and upgrades that are unavailable to people with not huge budgets.

So, in short, any kind of system or tool that supports truly resilient autonomy. Something you can do yourself. Not this B2B stuff. Right?

So, with that said, I see my role as a Free Software developer to make it more possible for more people to independently access more of those capabilities without needing to have money and without needing to engage in any other form of abusive or coercive relationships in order to do so. I think that’s especially important to do in service to and in solidarity with the specific people whose lives are made dramatically worse by capitalist efforts to do the contrary.

All right, so let’s see where we are with the build of this new website and how far we’ve gotten on creating the server. Okay, there we go. It says here the server URL is wpnyc.demo. Let’s take a look and see if we actually have this available.

There we go, we got a new website up. So this is a pretty standard WordPress site. It’s all empty here, nothing fancy about this at all. We can go ahead and try to log in. And we’ll use our admin and password. And you can see that we have a Multisite install, so we have a Network Admin. We’ve got a users database. It’s all empty. So it’s just a standard, brand-new, WordPress site that we’ve created there.

>> AUDIENCE MEMBER: So, is this replacing what everyone has to do with their hosting company? Making databases, and—

>> MAYMAY: No, this is what your hosting company uses!

>> AUDIENCE MEMBER: Right, okay.

>> MAYMAY: You’re not going to be able to go to this website from, for example, the Starbucks down the street because it’s on my computer. It’s physically here. However, if you were a hosting company and you, for example, didn’t want to go and create a database and install WordPress every time you get a customer request, you’d probably use a tool like this. So, these tools are Free Software, they’re open source, you can do that if you wanted to. They don’t tell you that, but you can.

>> AUDIENCE MEMBER: It sets things up in seconds!

>> MAYMAY: It does. It doesn’t take very long at all. All right! So, we got our website, so we spun up a new WordPress Multisite instance.

>> AUDIENCE MEMBER: Question?

>> MAYMAY: Yeah?

>> AUDIENCE MEMBER: What does Multisite mean?

>> MAYMAY: Multisite means you can have multiple domains, multiple websites, that are running on one WordPress database. You have one database but you have, for example, blog.wpnyc.demo, and test.wpnyc.demo, and maybe even othersite.com, all running on one WordPress installation.

>> AUDIENCE MEMBER: So you can back the whole thing up?

>> MAYMAY: Yeah! It’s all one database, so whenever you backup that database, you backup the whole thing, the whole network.

>> AUDIENCE MEMBER: So you’re managing it from one WordPress site?

>> MAYMAY: Yeah. If Multisite is new to you, definitely check out the WordPress codex, which has a Multisite page. It describes it right there and also tells you how to set it up manually, in case you want to do that. It is good to do that manually at least once or twice so you know what these tools are doing. But once you do know how to set it up manually, using these tools obviously makes the job a lot faster and a lot less error prone.

All right, so we’ve created our new WordPress multisite instance. Let’s move on now. We’ll learn about the Subresource Integrity Manager for WordPress.

So, first, how many of you may already have heard about Subresource Integrity? No? Okay. That’s cool. I really like the Mozilla Developer Network’s definition. It’s pretty clear.

“Subresource Integrity is a security feature that enables browsers to verify that files they fetch (for example, from a CDN [a Content Distribution Network]) are delivered without unexpected manipulation. It works by allowing you to provide a cryptographic hash that a fetched file must match.”

So, what does that mean? For example, let’s say some attacker—or you—want to run cryptocurrency mining JavaScript on hundreds of thousands of users’s Web browsers. You don’t have to actually attack thousands of users’s websites, thousands of websites on the Internet, in order to do that. You could compromise the one website that all those other websites are loading files from. For example, like a [Facebook tracking] pixel, right? Like some sort of web bug. If you can change that and everyone is pulling that site from you, well, there you go. You’re now loading your JavaScript code on multiple websites. So, for example, if I wanted to make the users of USCourts.gov mine Monero or BitCoin for me, then I wouldn’t necessarily have to attack USCourts.gov, I could attack TextHelp.com, because TextHelp.com is serving files for the other sites, USCourts.gov and ICO.org.uk.

Now this isn’t theoretical, either, this happened just last week, with these exact websites—USCourts.gov included—and it’s exactly the sort of scenario that Subresource Integrity is designed to mitigate. So, let’s see how you can prevent this attack against your site’s users for free using the Subresource Integrity Manager for WordPress.

Let’s go back to our demo here. And we’ll switch back to Firefox.

>> AUDIENCE MEMBER: Is this similar to what SSL does?

>> MAYMAY: No. No, SSL would not protect against this because you’re still getting the content and not verifying that what you’re getting is what you expected to get. It just means that no one has listened to what you’re getting on the way. I’ll show you what I mean in just a sec. This will be a lot clearer if you see this in action than if you just see some slides without a demonstration about it.

All right, so the first thing we’re gonna do is, obviously, is we’re gonna go to our Network Admin screen. We’re gonna go to Plugins. We don’t have any. And we need to get one because we need to get the Subresource Integrity Manager, called WP-SRI. I think you can also search for “Subresource Integrity.” Regardless, here it is. We’re gonna go ahead and install this. And there it is.

Now, when you have a Multisite install you can activate plugins for an entire Network all at once or, what we’re gonna do, is we’re going to go to the site itself, our site’s Dashboard—it’s hard to do this backwards. Go to our Plugins, and we’re gonna go ahead and activate the Subresource Integrity Manager for WordPress. That’s it, you’re now protected. By which I mean, if you go to your Tools page, you’ll see a new item called Subresource Integrity Manager, and you see here all the listing of resources that your site’s requesting. Every single one, including the ones on your own site because we set that debug flag—I wanted to make sure there was some content here. Over on the left you see the URL column. That’s the source address of the file you’re loading. So these are JavaScript and CSS styles, etcetera. And over on the right, you’ll see these hashes. And this is the cryptographic hash, this is the one-way mathematical function that proves that the content that’s being served to your site is the content that you expected to get when you first loaded that resource.

So, what do I mean by that? Let’s go to the site itself, and I’m going to go ahead and open up the View Source thing here—and let’s make that a little bit bigger so you can see as well—and let’s just have a look at one of these link elements. Actually, let’s look for stylesheet—style sheet—there we go. So this probably looks familiar to any of you who have seen CSS before, right? Link rel stylesheet. Here’s an href, a reference to the stylesheet itself, but over on the right, you can see crossorigin anonymous and integrity equals SHA-256 dash and then this hash. This hash is the metadata of what was expected to be in that stylesheet. So if some attacker modifies it, it’s not going to load in your browser if you’re using these, if you’re expecting to get this particular hash value.

What do I mean by that? Let’s go a little bit deeper into that. So, let’s close—close? What happened there. There. Let’s close out of this. And I want to create now an example attack on this website to show you how this is actually enforced.

So the very first thing we’re gonna do, I’m going to go to my command line here and I’m going to create a new JavaScript file. This is gonna be going to a CDN that I set up ahead of time, here. CDN dot demo. The important thing about this site is that, again, it’s just a WordPress site, it’s just a different domain. The point being that we have two different domains. One requesting JavaScript sources from another. This is exactly the same thing as you would, for example, do when you do an embed from YouTube and you say, “Hey, YouTube, please load some content on my site.” I’m gonna do the same thing, but it’s gonna be very, very simple. So we’re going to echo some JavaScript, how about alert—whoops, this is hard to do backwards—alert, how about ‘Hello, WP NYC Meetup.’ Right? And we’re gonna go ahead and put this into the root of my CDN demo at htdocs and we can call that test.js for example. And I want that to be output there, whoops! Where did I mess that up? Echo, alert, yup. That’s fine. Uh, that’s not fine? Oh, there’s some other, I can’t see [the full screen on the project] or I mistyped some stuff? I can’t actually see all that. There we go. Nope. It looks like I’m not able to see what is there. Echo alert ‘Hello, WP NYC Meetup.’ Close. Let’s not do this full-screen, because I don’t see what’s over there. Oh! I have another—

>> AUDIENCE MEMBER: Can you explain what you’re doing now?

>> MAYMAY: Yeah! So this is gonna put this text, “alert(‘Hello, WP NYC Meetup’)” into this file. There we go. So if I look at this file, let’s say cat that file out, you’ll see that now that file has “alert(‘Hello, WP NYC Meetup’)” and if we go to our CDN dot demo slash test dot js, we’ll have that file being served in the Web browser.

The next thing I need to do of course is I need to load this JavaScript into the theme that we’re using. So I’m going to go ahead and use Vim to edit wpnycdemo, htdocs, wp content—

>> AUDIENCE MEMBER: And what’s Vim?

>> MAYMAY: Vim is a text editor, like TextEdit, but in a command line. So, like, Notepad or something. WP content, themes, twenty seventeen, because that’s the theme we’re using, and header.php. Right, so this is gonna look pretty familiar to anyone who’s edited a WordPress theme before. You can see here the wp_head hook, function there. And we’re just gonna add another one and it is going to be wp_enqueue_script, and this is gonna be WP-SRI demo, and we’re gonna load CDN.demo/test.js. All right, now our website—we put that embed code, basically, into our website. So now, when we load the WP demo site, we should get an alert that says, hey, “Hello, WP NYC Meetup.” There we go. So we now have that alert. We’re running that JavaScript code.

Here’s the thing. What if I then change that JavaScript code? Well, without Subresource Integrity, if I change that JavaScript code, it’s still gonna run, which means that if some attacker then changes that source code on some other server that you don’t control, that you have no insight into, they’re now running their code on your site. With Subresource Integrity, however, if I change that, so let’s do that, let’s vim this again. This time, let’s vim the CDN site, htdocs, test.js, let’s make something much more malicious happen here. Maybe something like a cross-site scripting attack. With a cross-site scripting attack if I reload this now, if I wasn’t using Subresource Integrity—we’re going to go into Subresource Integrity Manager to see that we have a hash for it—it’s not going to load.

Okay. Why didn’t it load? It didn’t load because, if we look at the Inspector, and go to our Console, you can see, “None of the SHA 256 hashes in the integrity attribute match the content of the subresource.” In other words, the browser says, “Hey, I saw this file, but it doesn’t match what you told me it should contain. And because it doesn’t match, I’m not gonna run it.” Therefore, your users also will not be subjected to that JavaScript. If I—

>> AUDIENCE MEMBER: What will they see? Will they see an error?

>> MAYMAY: No. It just won’t run. So, for example, if you had a personalized resource—Google Fonts does this, where it sends personalized content to each individual user but it’s the same URL, it’s always google.com/fonts/something—that is gonna break this. And so hopefully Google will fix that and will give, like, individual URLs to people. Until then, you have this little Exclude button which just takes out that integrity attribute in case you run into a problem where you’re loading one resource for multiple users but the content of that one resource is different for each user. In that case the integrity attribute won’t be printed, and if I reload this page, we should now have an XSS attack happening. Does that make sense?

>> AUDIENCE MEMBER: Yeah.

>> MAYMAY: All right, so that happens, again, because we did not include the integrity attribute in our test.js script element. If we again go back to Subresource Integrity Manager and re-include it, then when we reload, we will not get the XSS popup because the integrity attribute will be printed and we’ll see in fact the SHA 256 hash was not matching what we expected it to be.

So, let’s return this to the original ‘Hello, WP NYC Meetup’, and we’ll save that. And hopefully, with this, because again, it matches, it’s not excluded, but it does match the content that we’re expecting it to be, we visit the site and we get this back.

So that is Subresource Integrity Manager for WordPress.

>> AUDIENCE MEMBER: Does that add any weight to the site?

>> MAYMAY: It will increase your HTML page sizes, but hopefully you’re using, y’know, HTTP2 for good compression, and it’s not really adding a lot in comparison to the kind of attack that this—the kind of vulnerability that this is for your users is pretty serious. So, this is basically considered a really good thing, it’s been widely developed and deployed.

Some pro-tips for using this. SRIHash.org is a great site to go to if you want one of these one-off. If you have a JavaScript file that you want to insert yourself but you want to include the integrity attribute, go to SRIHash.org, plug the URL into the form there. Hit Hash. It’ll give you the exact code you want to use for that.

>> AUDIENCE MEMBER: That looks like a good password generator.

[laughter]

>> MAYMAY: You can also further harden your site by using the CSP HTTP headers. These are content security policies which tell your visitor’s browsers not to load anything that doesn’t include an integrity attribute if you use the require-sri-for and you can say either script or style, or both. And finally of course, because the free and open Internet is a platform agnostic technology by design you don’t have to be using WordPress to be using this. You can, for instance if you’re using Ruby on Rails, use the sprockets-rails gem. Just use your javascript include tag and add a new parameter there, integrity equals true, and sprockets-rails will take care of it. Similarly, if you’re using any of the NodeJS tools, pick up the SSRI package over on NPM. And again, it’s ssri.fromData or dot fromUrl or something. Give it an algorithm that you wanna use, and the toString method will give you the integrity attribute, what you actually want to print out.

Okay, so that was Subresource Integrity for WordPress.

Yeah?

>> AUDIENCE MEMBER: What happens if I want to change the plugin or the script or whatever?

>> MAYMAY: Yeah!

>> AUDIENCE MEMBER: Do I have to run something again so I can update the hash tags or…?

>> MAYMAY: The easiest thing to do is to go back to your tool, so let’s go back to WPNYC Demo, we’ll go to your tool, and you find the resource you want. So, let’s say, test.js, here. And delete it. Now, the next time it loads, Subresource Integrity Manager will say, “Oh, I don’t know this. I’ll go ahead and fetch it, re-hash it,” and that way basically you’re forgetting the old hash and putting in the new one. So that’s that.

>> AUDIENCE MEMBER: Can you give us an example of how to use this on a site we might already be familiar with?

>> MAYMAY: This is already used on many sites you’re probably familiar with! And it’s used specifically to make sure that there’s no unexpected manipulation from the CDN side. So, for instance, a long time ago—well, not a long time ago but, like, two years ago—there was one of these JavaScript DDoS attacks that happened by Baidu, which was one of the Chinese analytics firms. The Great Firewall of China, evidently, decided to change anyone who was loading Baidu analytics JavaScript that it was sending to DDoS GitHub. As in, to try to get every browser on the planet who was loading Baidu analytics to send a bunch of requests to GitHub.com to take them down. And it worked because, at the time, there was nothing like this. So that, among other reasons is why SRI features became a W3C standard and is now deployed in all these different frameworks.

So, for WordPress, you can use the Subresource Integrity Manager until we get this into core. It looks like it will be into core at some point, but I don’t want to promise about when or how, because I don’t know.

[laughs]

>> AUDIENCE MEMBER: [quiet speaking]

>> MAYMAY: Oh, you just have to hit “exclude.”

>> AUDIENCE MEMBER: [quiet speaking]

>> MAYMAY: Well, I mean, yes. For Google Fonts, or any resource that has the same URL but whose content is different, right? Because, if the content is different, it’s not going to match the hash for all users, it will only match the hash for one user. Probably you, because you’re the first one who has requested it. So you want to exclude those until sites like Google and other CDN providers start making unique URLs per user. All this personalization that happens on just the content and not the URL needs to go away for this to work.

>> AUDIENCE MEMBER: How do I know if I need to exclude a script like that?

>> MAYMAY: See if your site still works.

[laughter]

>> AUDIENCE MEMBER: Oh, just load it again?

>> MAYMAY: Yeah. All right, so, we’re gonna move on to GPG and OpenPGP signing and encryption for WordPress. So, first of all, how many of you are familiar already with GPG or OpenPGP or signing and encryption and technologies? One, two, three, four hands in the back. Okay, cool. Great! Any of you wanna shout out what that is? No? All right.

Well basically, it’s secured email, is the answer to that. In short, GPG or OpenPGP—they’re kind of interchangeable terms—means secure email. But here we have to be pretty careful about what we’re talking about when we say “secured.” What does secured really mean? In a very brief nutshell, ’cause I don’t have that much time, when infosec pros talk about security they’re usually speaking about something that’s known as the CIA triad. It’s called a triad because it has, of course, three parts, and these are confidentiality for the “C,” integrity for the “I,” and availability for the “A.” Now, for the purposes of this presentation we’re only going to concern ourselves with the first two pieces of this triad.

Another common word for confidentiality—you’ll often hear this a lot—is privacy. Much more often used word. And similarly, very similarly to that, another word that’s used for integrity is “authenticity.” So, in the next demo, when I talk about GPG encryption, what I want to be talking about it ensuring privacy: the ability for your website to send a message that only its intended recipient can read. And when I talk about GPG signing, what I’m talking about is ensuring authenticity: the ability for the recipient of that message to verify that it the message was actually sent by your server, not some other imposter, and that the message that they got was unmodified in transit. It’s the actual message that you sent. Very much like the Subresource Integrity thing where you’re hashing stuff. All right, so now let’s see how you can accomplish this with the PGP encrypted emails plugin that I wrote.

So, we’re gonna go back to our demo, and—whoop, there’s my, there it is. And, I want to go to my WordPress site. And, as before, we’re gonna create a new plugin by going to Network Admin, Plugins, Add New, and we’re gonna search for WP PGP Encrypted Emails. That’s the full name of it, but you can also probably search “PGP encrypted emails.” Anyway, we’re gonna hit “Install Now” and there it goes. And we can Network Activate this or we can, again, just go to a site, go to the demo site, go to our plugins, and activate—whoops, no, I don’t want to, I want to do this one—plugins, and activate that. All right, that’s it.

Now, very first thing you’ll notice is that we have one of these admin notices up at the top. It says hold on, you’re not done yet. You’ve got to create or generate an OpenPGP key pair for the website to sign outgoing emails with. In other words, you can’t just send an email. You have to actually stamp that email with the identity of the website, cryptographically. So that’s what we’re gonna do when we generate PGP signing key pair. That’s it, that’s all you gotta do. And this will take you to the Settings screen, with a new item here under Email Encryption.

This email encryption settings will have a number of options. The important one for here is the PGP signing key pair. This is a low-trust, single-purpose key (identity), for the website that you need to distribute any user who wants to make sure that when they’re getting emails from you, it’s coming from the right place. There’s a theme function that you can add to your theme that makes this button, so you don’t have to worry about the code itself, or you can go to or tell your users to go the profile that they have and click on “Download public key” at the very bottom under their personal encryption settings. We’re gonna go ahead and do that. I’m gonna click “Download public key,” and it’s gonna give me this file. I’m just gonna save that, for the moment.

But before we do anything with that, I want to show you what an unsigned and unencrypted email looks like. Regular old email, nothing fancy. This is what you’re doing, probably, right now. And to show you that, I’m gonna go to wpnyc.demo, and I’m gonna go to [port] 1080 here. This is Mailcatcher. This is another one of those development tools that was installed when I did the VV build and what this does is it kind of intercepts any outgoing email from that website and shows it to me in this interface so I can debug it.

You can see that we already have an email in here. This one is the email that was sent when the WordPress site was kicked off and built. Sometimes you’ll see this in the One-click Installers. Y’know, you’ll get an email saying, “Hey, your WordPress site is ready.” That’s what this is. So, this is the source code of that email. You can see the headers up here, and the body down here. And there’s nothing fancy about this, nothing special, nothing cryptographic, no hashes, none of these security features. It’s all just plain text. This is like sending a postcard through the post. Anytime you send a postcard, anyone viewing or handling that postcard can read the contents. That’s what all email, all text messages, all unencrypted HTTP—not HTTPS—traffic is. So we’re now going to add the equivalent of a digital envelope to protect the contents of this message and a digital stamp that says, much like those Game of Thrones, y’know, wax stamps. This definitely came from Jamie Lanister or whoever. We’re gonna add that to our emails. I’m gonna show you how to do that.

Firstly, we have this key that we downloaded. So let’s go ahead and take a look at my Downloads folder. And, or actually, take a look at this here. “To authenticate the emails, download the PGP public key and import it to an OpenPGP-compatible client.” This links to PRISM-Break, which is a fantastic website. If you don’t know about it, check it out. PRISM dash Break dot org. And it lists here all the software that you can use PGP or GPG with. So there’s a vast ecosystem of this. It’s available on Windows, Linux, Android phones, iOS devices, basically any computing device that you have can do this for free already, with either one of these apps if it’s not already built-in. Many Linuxes have this built-in, for example.

So, I’m going to be using GPGTools, or MacGPG for this. That is at GPGTools.org. If you’re on a Mac today and you wanna try this out, go grab this. It’s the best tool for the job I’ve seen. All right, so we’re gonna go ahead and open up this email, I’m sorry, this key, and we’re gonna open it with an application that was installed with the GPGTools package that I installed earlier called GPG Keychain, and we’re gonna import that key, and there we go. Now we have this key.

Now what this means is that we are aware of a cryptographic identify for the website wpnyc.demo. I can now authenticate any emails that are sent there. So let’s go ahead and get an email from there. You could trigger an email by purchasing an order or making a new user account, or you can use the handy “Send me a test email” button, which is what I’m going to do. And when I click this I want you to take a look at the Mailcatcher tab up here, and I want you to take a look at this. This is going to go from 1 to 2. Okay? Ready?

Send me a test email. There it is, now there’s 2. There’s the test email. And now, take a look at how the email is different. We have this “begin PGP signed message” text on top and on the bottom. This is what’s known as a clear signed message. This is saying that this is the, effectively, the integrity attribute, or that metadata for the contents of that message, just like the SRI stuff. It functions very similarly.

If you were using an email client, this would automatically authenticate—

>> AUDIENCE MEMBER: You’d use both?

>> MAYMAY: Use both what?

>> AUDIENCE MEMBER: Use both the GPG and the SRI?

>> MAYMAY: Yeah, they’re separate plugins, they’re separate technologies, but they use the same what are known as cryptographic primitives, which is to say, they use the same mathematics under the hood.

>> AUDIENCE MEMBER: So you’d use one or the other?

>> MAYMAY: No, you can use both, because they do different things. In fact, I would recommend that you use all the plugins I’m gonna demo. [laughs] ‘Cause, they’re all free and they run on any WordPress site of any size. All right.

So, we’re gonna grab this PGP signature here, the contents of this email, and again if you were using an email client like Apple Mail or Microsoft Outlook or something, you wouldn’t have to do this copying-and-pasting, but I’m using a debugging tool so I am. I’m just going to go ahead and open up a TextEdit window and I’m gonna paste this into a new file and we’re gonna say test email, and I’m gonna save it on my desktop—and, sure, you can use the email extension. All right, and now, to verify that this is in fact the—I don’t need this anymore—the message that came from the site, I’m gonna right-click, I’m gonna go to services, and “Verify Signature of File.” See that, there? “Verify Signature of File.”

All right, click that, and we get a verification result: Signed by wordpress@wpnyc.demo. This means, yes, this email came from the site that you think it did and it was unmodified. No one changed the message between the time that the site sent it and the time that you received it. So, to prove that, we can open up this test email again. TextEdit—whoops, come on. Why is it not dragging this over? Drag. Seriously? For real now? All right, let’s do it this way. Other, and we want to use TextEdit, which is here. All right, so now let’s change this email in some way. We’ll just delete some text. We’ll re-save it.

Let’s try to verify again. Now we should get a failed message. This should not verify, because the message was changed. This is really important for things like, for example, security announcements. Apple, Inc, like, the company that makes this computer. They do this, exactly this process for when they send emails to their security announce list because it would be pretty bad if they sent a security announcement to say, “Hey, there’s a new patch available,” and that was actually a fraudulent email. Web hosting providers, DreamHost sends this with their billing emails, with their receipts. Now you can do the same with this plugin. All right, so that is a test email.

So that was signing. Do we have time? Do you think we should do encryption? Do we have time for this?

>> AUDIENCE: Yes!

>> MAYMAY: Yes? Okay. [laughs] Is there a question, there?

>> AUDIENCE MEMBER: [quiet speaking]

>> MAYMAY: I can’t quite hear you. Are you asking if it’s possible, if this works with an external service?

>> AUDIENCE MEMBER: Yes. If you don’t want to use your WordPress server to send the emails.

>> MAYMAY: Yeah. It, um, you will have to do a little bit more work to use an external service because you’ll need to send them pre-signed messages, right? So, for example, a lot of these services will insert things like, you know, “Hello, name,” or, y’know, “who lives at such and such, your account number is such and this.” If you sign the message before they do that, none of these verifications are gonna work, because they’re going to be changing the message on your behalf. On the other hand, there’s many free software plugins for WordPress that can function similarly to MailChimp, for instance, and this plugin is compatible with all of them that I’ve tested, which at this point has been hundreds. So, you could do that, it might take you a little bit more time to send those emails but at least that way you’re actually doing the work on your site, yourself, and not farming that out to a third party that may or may not—and probably is—mining you for data. So, but, y’know, obviously up to you?

All right. What time is it? It is, 8:30. I have until 9, I got a lot of content. You sure you want to see encryption?

>> AUDIENCE: Yeah!

>> MAYMAY: Yeah, y’all are good for that?

>> SCOTT BECKER: Quarter to nine!

>> MAYMAY: Quarter to nine! All right, I don’t have a lot of time, then. Here’s what I’m gonna do—

>> SCOTT BECKER: Well, ten to.

>> MAYMAY: All right. Well, let’s, I’m going to go through this a little bit quicker. So what I’m going to do is I’m just going to create a new key here. This doesn’t really matter. To do encryption we have to do the reverse process. Rather than getting the key from the website, I have to give the website my identity. But to have an identity, I need to make one. So that’s what this is, that’s what the “New” thingy is here. So we’ll do that. Some email dot invalid, none of this matters. The password is password. And password here. And, under advanced options, what’s there? Oh yeah. So I’m just gonna say “this is a test do not use this key.” We’re gonna generate that key. We’re gonna continue with a simple password. And again, all the GPG tools will do this, whether you’re using Windows or Linux, I just happen to be using a Mac. I don’t want to upload the key to the key server, again, because it’s a test.

And what we’ve done is created a new key pair. What’s known as basically a digital lock and a key that opens that digital lock. So if I hit export here, I get a file on this desktop. Let’s go ahead right there, and desktop, and there is my file which just like the other email, this can be opened. Because a key, an identity, a cryptographic hash, is just text, we can open it with TextEdit and you can take a look at what a key looks like. It’s just a really big number, really.

So if I copy this into my—because I’m the admin here, I’m gonna copy it into the Settings, Email Encryption, and Admin Email PGP Public Key textbox here, and hit save. Now, that’s all I gotta do. Now if I get another message, let’s trigger that again. Send me another test email. It’ll go from 2 to 3. And now this was the signed message, now we’ll have an encrypted message. So now we just have this “begin PGP message” block and this is the content that’s gonna be stored, for example, by Google or by Microsoft Live, right? When you are actually using a GMail account, they’re reading all your email. Well that’s because it’s not encrypted. If you use this, and you give the sites that are letting you send encrypted messages your cryptographic identity, Google can no longer read your email because to them it looks like this.

So the question is, how does it look like to you? Well, we’ll go back here, we’ll go to TextEdit, and we’ll just paste this message in again. And, again, on an actual email client this is much, much simpler. I’m just gonna right-click, go to Services, and I’m gonna decrypt selection to new window. And what we should see here is I’m being asked for my password for this identity, which I put before. Right, and say password. Oh, it opened it up over here, so I’m just gonna move this over. Right. This is a test message from wpnycdemo. It’s still signed, right, because the site has a signing key, and it’s decrypted, because I have the matching key to the lock that I gave the website. So that is OpenPGP signing and encryption for WordPress.

Quick pro-tips for making even more use of this plugin. Number one, importantly for small businesses you should know that the WP PGP Encrypted Emails plugin features zero-configuration, out-of-the-box support with WooCommerce. So if you have a WooCommerce store, right, as long as your chosen theme supports the WooCommerce account pages, then all you have to do is install this and your customers will get an out of the way form that looks exactly like this that they can use to opt-in to signed emails or even encrypted emails if they go ahead through the process of making their own identity and uploading a key and giving it to your store. This is an example of what a signed email might look like in Apple Mail. Instead of the Mailcatcher interface it would just look like this. It would say “Security: Signed” and that’s how they would know, yes, this actually came from your store. So this is really important for secured email receipts, for private transfers of communications between, like, tech support. Anything that you basically don’t want other people reading. This is all from a blog post out of New York City called Flora Posidonia: FloraPosidonia.xyz. Check that out at some point if you wanna see this in practice in the wild.

For developers, WP PGP Encrypted Emails features a general-purpose API to cryptographic operations using familiar WordPress plugin hooks. So what I mean by that is that the plugin uses the same hooks that it makes available for other plugins for itself. And that means with as few as about four lines of PHP you actually, as a developer, can build PGP or S/MIME encryption into your own plugins and themes. So you can see here we’re getting the user object, we’re applying the wp_openpgp_user_key filter to that user object to get the key itself, and then we’re using openpgp_encrypt with the message and the public key to get an encrypted message. You can now, using PHP, send this variable over the Internet or in an email or anywhere you want, and it’s that PGP message block instead of the plain text content.

Okay, so that was GPG and OpenPGP signing and encryption for WordPress. I got ten minutes, so I’m going to hold questions. And at this point we’re going to go on to centralized authentication service using OpenLDAP for WordPress.

Now, as before, centralized authentication services with LDAP, anyone use this already? Sound familiar to anybody? No? All right, let’s start with LDAP. So that stands for the Lightweight Directory Access Protocol. It is an open vendor-neutral industry standard application protocol for accessing and maintaining distributed information services. So what that means, for our purposes at the moment, is that an LDAP database, which is called a Directory Information Tree or a DIT, can store user account login details like usernames and passwords and email addresses and phone numbers and this kind of thing, in an application-independent way so that any app that can speak LDAP can actually use the LDAP store as its user database.

Fun fact: LDAP was written by Tim Howes. He was the CTO and founder of a company called Opsware that I worked at for a while and that’s now HP Server Automation suite, HPSA, for those of you actually working in Enterprise.

Let’s take a step back for a moment, though, and talk about what this might look like—a website’s system might look like—without LDAP at all. You have a website. It’s running WordPress. We’ll call it YourSite.com and one of your users, we’ll call them alice, logs into the site. So to successfully log in to that site, WordPress first checks its WP users table for an entry that matches Alice’s account credentials. If those credentials exist and they match the ones submitted by the user, then Alice is successfully logged in, everything is okay, you get the Dashboard, or you get the homepage, it all looks fine. In this setup the user’s account information is stored by WordPress, for WordPress, and is only available to WordPress so we call that application-specific data.

Now let’s imagine that you want to add another app to your network. Maybe you have an intranet, right, and you want to add Nextcloud. This is kind of a Google Docs replacement. You could, and most organizations that I’ve seen typically do just tell Alice that, y’know, they now have two user accounts. They have a WordPress account, right? And they have a completely separate account for Nextcloud. In my experience, this causes a lot of problems. Among other issues, it means that users now must manage two user accounts: two passwords, two user profiles independently. Most users will probably choose the same password and the same profile information on both systems, but once they change their password on one system, the other system isn’t informed, and that leads to confusion, not to mention a lot of help desk tickets.

So this is a classic problem that LDAP is designed to solve. Now, with an LDAP server, you can store account details in a way where you can provide a Centralized Authentication Service, also called a CAS, for any LDAP-capable application that you choose to add to your network. So now, regardless of which app server Alice logs into, their account credentials are always the same. And when they change their password on the one side, say WordPress, they can immediately use their new password to log in to Nextcloud because that authentication check is happening in one central place, which is that LDAP server at the top.

So, let’s see how you can configure this using—whoops, that was too fast—using, WordPress. We’re going to go back to our WordPress demo and I’m going to try to run through this a little bit quickly, I apologize because I’m running a little short on time. But what I have here is another install of Nextcloud. This is a brand-new Nextcloud instance that’s running on the same machine as the other one. And I’m going to go ahead and create a new admin account. If Nextcloud is familiar to any of you this will look pretty familiar because it’s basically just as I did before. It’s a completely blank Nextcloud instance, without anything pre-loaded. So no users, no files, no nothing.

So this is Nextcloud for those of you who haven’t seen it. It looks a lot like Google Docs. Y’know, you can upload files, you can download files, you can open up text files. You can share photos, that kind of thing. You can take a look at the users database here. There’s just one user, the admin, there’s nothing else. And that is just blank Nextcloud. Now we also need, of course, is the wpnyc.demo—oh, yeah, hello—we need the plugin for WP-LDAP, which is…. There are a lot of LDAP plugins, but mine is the one called just WP-LDAP, by me, here. It’s pretty small and pretty new, because it’s not very well-known. But I’m going to go ahead and install it. And what this is going to let me do, when I go to Network Activate it, I will have a new option under my Network Settings called LDAP Settings.

Unfortunately, I need to be using HTTPS to manage it because this is kinda sensitive. So we’re gonna go ahead and do that like this. Password. There we go, LDAP settings. Now, I’m not going to show this because I don’t have time, but I also have a LDAP server running on port 389 on that same machine. Installing an LDAP server, if you’re a server admin, is usually as simple as “sudo apt install slapd” or the standalone LDAP daemon. For the time being, I’m gonna have to skip that.

I set it up so that it has a Bind DN, which is basically like the user account that you’re using to admin the site. This is basically the same as the MySQL user. Y’know how you have a MySQL database and your WordPress website needs to know what the login credentials for the database are? Same exact procedure. In this case, it’s not a MySQL database, it’s an LDAP database. So the syntax is a little bit different. But in general, it looks something like this. DC equals WPNYC, and DC stands for “domain component,” so this is the dots, right? Instead of dot com or dot demo, I’m using DC equals and “CN” is “common name.”

Let’s go ahead and actually double-check that that is correct because I don’t want it to not be. Okay, so we logged in over there, and I’m just going to copy and paste this from my notes to make double-sure that I have this right. So, I’m using an LDAP search tool on a command line, asking for the host, which is localhost in this case, using external authentication meaning the OS itself, to ask for the config common name, and I want the OLC or online configuration root DN. The root DN is basically superuser. You know how WordPress has “Super Admin”? This is Super Admin for LDAP. And sure enough it’s cn admin, dc wpnyc and demo. So that’s right. And then the base is just the end here, the same. WPNYC Demo. You can change this if you want, but it is effectively the same. So, for example, if you wanted to do, a different directory tree you could do OU equals people and this is like, basically choosing the table. Where in the database do you actually want to store what we’re about to put? In our case, ’cause this is a simple demo, we’ll just put it at the root over there. And that’s it. We save that change.

Now your WordPress can talk to LDAP. What does that mean? It means if we create a new user here—let’s say we’re going to make a new user on our Network, and we’ll call it test LDAP and it’s gonna be testldap@wpnyc.demo. We’re gonna add that user. Hopefully, if I got that right—no, I don’t want notifications—if we configure now Nextcloud to add LDAP integration, too. Now, Nextcloud ships with LDAP integration so we don’t even have to write a plugin for this. We’re gonna go to the Apps page on Nextcloud, enable the LDAP user and group backend plugin. We’ll now go to the admin screen for LDAP. We’ll go to LDAP and AD integration, and we’re gonna give it the same details that we gave WordPress. So, 127.0.0.1. Nextcloud has some nice JavaScript that can detect the port. The user DN was cn equals admin, domain component wpnyc, domain component demo, I believe. And the password was password. Let’s see if that, yup. And detect base DN. There we go. And test base DN. We look good.

So we’re gonna hit “Continue.” And now you can see we’ve got three entries available. These are inetOrgPersons. A user account in LDAP is an inetOrgPerson, an Internet organization person. We can verify this, we found 1 user. We’re gonna continue. And here you can say how do you want them to login? Username only, or username and email? We can go with either. This is basically, y’know, log in with your email, log in with your username. Just like WordPress. And if we do testldap here. Yeah, “User found and settings verified.” Continue on, and we’re good. So now, when we go to the users screen, you’ll see another one. And there you go. Now we can log in with this user.

So for instance, let’s say—actually, I can’t log in with this user, because I don’t know their password.

[laughs]

But, if we edit their password and set it, let’s set it to something simple like password. Yeah, confirm that password. We’ll update that. We’ll log out of Nextcloud as the admin, and we’ll log back in as the testldap user. And there we go. We didn’t have to make a user account on Nextcloud because we made on WordPress, and now, no matter how many apps you add to your intranet or your site, you now have one authentication store for all of your users. This is really useful for, for example, employees inside of a company. Taking out one, deleting them from the LDAP store will remove their access to all your apps. It’s also portable so you can transfer it from, y’know, one app to another, as long as the apps you’re using can speak LDAP. And, with WP-LDAP, WordPress can. So that was WP-LDAP on WordPress.

Pro-tips on this: it’s built for Multi-network, not just Multi-site installs. So if you’re not familiar with WordPress Multisite, read about that. Once you’ve read about that, check out the article, again on the WordPres Codex on Multi-network. This is a Network of WordPress Networks, and WP-LDAP works with that, too. You can set different servers, LDAP servers, for different networks so you can do things like network segmentation or perhaps round-robin load balancing, it’s kind of up to you. It’s also already aware of the WP PGP Encrypted Emails plugin, so if you use both of those and your users supply an S/MIME certificate, that will get sent over to LDAP and that will allow you to do transparent email encryption for things that are configured for that, such as iPhones in a BYOD or Bring-Your-Own-Device environment. Microsoft Outlook supports this out of the box as well. All of these features are standard protocols that are for free that you can install on WordPress sites of any size that you never have to pay for, if you don’t want to. You could. I wouldn’t. All of this, of course, is RFC 2798 compliant so any consumer that speaks LDAP—Apple Contacts, iOS, Mozilla Thunderbird Address Book—you can get a people directory and actually have, like, email autocomplete lookups for all of your employees or mailing list subscribers or anything like that.

All right, that was Centralized Authentication Service for LDAP. I don’t know if we have time for Q&A?

>> SCOTT BECKER: We can do a five minute Q&A.

>> MAYMAY: Very short Q&A. I realize that was a lot of information very quickly as well. Yeah.

>> AUDIENCE MEMBER: I run an NGO, a non-profit organization, and we have an account for Google Apps, because they gave us for free. Can I use LDAP instead of Google?

>> MAYMAY: Oh, yeah. Google uses LDAP behind the scenes. So, this is what they’re using. Right, like, there’s not a difference in the technology between Google, Facebook, and this. It’s just a matter of whether or not they put the branding and the sheen on it to make sure that you feel like you’re using their thing, as opposed to the standard thing.

>> AUDIENCE MEMBER: Can you use PGP encryption with Google?

>> MAYMAY: Oh, yeah! I do all the time. Yeah.

>> AUDIENCE MEMBER: Does this address the problem where WordPress sends out emails and it looks like spam? Like, in GMail, it goes to the spam folder, but with Sendgrid and some of these other guys it doesn’t? Does that fix that?

>> MAYMAY: Sadly, no. So the question was if these plugins fix email looking like spam from WordPress. And unfortunately, they don’t. They don’t because of a number of reasons, which we can talk about maybe later if you want, but the short answer is no. The longer answer is they might even make you look a little more suspicious only because they would rather you use their thing.

All right, so, any last question about that? All right.

In case it wasn’t clear, all these plugins are freely available on the WordPress plugin repository today. Here are their permalinks. I’m gonna put up these slides somewhere so you can take a look at them on your time and hopefully we’ve got the recording at some point as well.

Again, my name is maymay. My homepage is maymay.net. It might be down. If it is, try again in a little bit. Again, I get DDoS’ed a lot. At maymay.net the very top link is “Download my digital business card.” Click it to download and import my vCard into your contact app, and that’s all I got. Thank you so much for your time and attention, everyone.

This week, on “Capitalism,” technicians are forced by employment contract to not educate customers.

I just wrote this really long comment elsewhere and after I posted it realized it might actually be useful to many folks here if they are struggling to make ends meet or to pay bills. So, here ya go. May your dependence on capitalism decrease as your experiences increase.

(Context for this is that a lot of people pay cable companies for “bundles” or “packages” or “upgrades” that, on their face, sound like a good deal, but are actually not. Here’s why.)

In most places I’ve been, it’s actually cheaper not to bundle TV with Internet service because the Internet service you get with bundled TV is actually unusable, so the upsell is literally worse than useless.

For instance, a friend of mine was telling me about the recent Time Warner Cable/Spectrum strike in NYC, and from what I hear part of the sticking point is that Time Warner sells this “300Mbps upgrade” for about $40 a month. This is slightly cheaper with a bundled TV package, but not drastically.

What this actually means, for anyone who doesn’t know the technical details of this, is that Time Warner will let you download files at about 300 million bits per second (Mbps), which is something like 37 megabytes per second. So, if you were downloading a file that was 37 megabytes (maybe the PDF of a textbook or something), you would be able to get it on your computer in about 1 second.

The kicker, though, is that most houses which purchase this “upgrade” are connected to the modem using a 100BASE-T Ethernet cable, which has a theoretical maximum speed of only 100Mbps. So this means, even if you’re paying for a 300Mbps “upgrade,” there is still a bottleneck that is only one-third the capacity and no amount of service plan changes will fix it, because the problem is the physical cabling installed in the apartment complex or in the house. You could buy a “fastest Internet in the whole world” package deal and still only get 100Mbps top speeds.

On top of that, most people don’t even use cabling. They use Wi-Fi. And the most ubiquitous form of Wi-Fi is called 802.11g, whose maximum theoretical speed is 54Mbps, or 54 million bits per second. In other words, a quarter of the speed of the super popular “upgrade” package sold by Time Warner. However, unlike physical cable, Wi-Fi is (wireless) radio, which means things like microwaves and other household appliances interfere, further reducing that 54Mbps theoretical maximum. Most of the time, a typical home Wi-Fi setup in a city will see Wi-Fi speeds slow to 34 or even 24Mbps at most.

That’s bad enough, but why the strike? Well, Time Warner contracts with technicians who, of course, know all this stuff. They apparently get called out on so many support calls from customers who want to know “why the Wi-Fi isn’t working well” and there’s literally nothing they can do to improve the situation, because Wi-Fi can’t, by DESIGN function at the speeds Time Warner is selling. But the real kicker is that, according to their contract, the technician is not allowed to tell the customer that this is what’s happening, because anyone in their right mind who understands how this works would immediately cancel their package subscription with the upgrade charges and so on, since it is physically impossible for them to make any use of it. There is no benefit to ever buying it, unless you rewire your building.

And yet people do buy it. Why? Because it’s a “package” deal, it’s sold and marketed as “better! faster! stronger!” and even then, when a customer has “trouble” with something about “the Internet,” the Time Warner Cable/Spectrum support personnel on the phone and whatnot encourage the upsell.

It’s 21st century snake oil.

Anyway, my point is, if you take a closer look at the Internet Service Provider plans in your area with someone who knows what they’re doing (not saying that you don’t know what you’re doing, I’m just writing this for readers and passers-by), it’s very often possible to get identical Internet service for close to half of the price that most people pay for it. I’ve helped some people evaluate this for their households during my travels, and each time, after several months, the answer to “Have you noticed a difference in service or speeds?” is “No.”

And of course that’s the answer. Because that’s how physics works.

Computer People for Peace: Interrupt 14

1984 is here … 13 years early….

The following call has been issued to peace activist groups. In addition we urge all computer people to join us in Atlantic City in May.

Computers are increasingly being used as a means of oppression. They are at the heart of every military and police system. They are at the core of every major corporation and are used to maximize profits with little regard for human needs.

The Spring Joint Computer Conference (SJCC) is an annual trade show-technical conference-public relations gimmick-sales event which brings together representatives of major corporations (IBM, GE, Honeywell, RCA, Litton, Rand, AT&T, etc.), high level representatives of the military and government, and the technocratic elite that serves their interests.

Obviously the event is overwhelmingly dominated by white males.

SJCC is being at Convention Hall in Atlantic City, N.J., on May 18-20. Attendance is expected to exceed 30,000, making the conference one of the largest military-industrial gatherings in the country.

Computer People for Peace proposes a mass multi-issue series of actions, meetings, and demonstrations during the SJCC. The issues to be raised include:

  • US genocide in South East Asia, particularly corporate involvement. (Honeywell is the prime manufacturer of anti-personnel fragmentation bombs.)
  • Repression at home, specifically the use of computer based information systems as a means of social control. (Military Intelligence keeps data banks on civilians–including all of us.)
  • Corporate racism (IBM plans to expand its South African market while the rate of unemployment among Third World people in the US continues to increase.)
  • The present misuse vs. the constructive potential of computer technology (as applied to health, education, welfare, housing, ecology, and urban planning).
  • The role of automation on the rising level of unemployment.

Interrupt, 14

February, 1971

Newsletter of Computer People for Peace

Computer People for Peace
The Dolphin Center
137 West 14th Street
New York, N. Y. 10011

My 2009 essay kinda-sorta about an Anarchist “Internet of Things”

I wrote an essay in 2009 about the Internet of Things, before people were calling it “the Internet of Things.” When I re-read it this afternoon, in 2017, I noticed something rather queer. It wasn’t actually about the Internet of Things at all. It was actually a personal manifesto advocating Anarchism, and condemning techno-capitalist fascism.

Yes, really.

In 2009, despite having barely turned 25 years old, I had already been working as a professional web developer for a little over a decade. (That arithmetic is correct, I assure you.) At the time, I had some embarrassingly naïve ideas about Silicon Valley, capitalism, and neoliberalism. I also had no idea that less than two years later, I’d be homeless and sleeping in Occupy encampments, and that I’d remain (mostly) happily houseless and jobless for the next six years, up to and including the time of this writing.

The story of my life during those two years is a story worth telling…someday. Today, though, I want to remind myself of who I was before. I was a different person when 2009 began in some very important ways. I was so different that by the time it ended I began referring to my prior experiences as “my past life,” and I’ve used the same turn of phrase ever since. But I was also not so different that, looking back on myself with older eyes, I can clearly see the seeds of my anti-capitalist convictions had already begun to germinate and root themselves somewhere inside me.

Among the many other things that I was in my past life, I was an author. I’ve always loved the art of the written word. My affinity for the creativity I saw in and the pleasure I derived from written scripts drew me to my appreciation for computer programming. That is its own story, as well, but the climax of that trajectory—at least by 2009—is that I was employed as a technical writer. I blogged on a freelance basis for an online Web development magazine about Web development. I had already co-authored and published significant portions of my first technical book. And, in 2009, I had just completed co-authoring a second.

That second book was called, plainly enough, Advanced CSS, and was about the front-end Web development topic more formally known as Cascading Style Sheets. But that’s not interesting. At least, no more interesting than any other fleeting excitement over a given technical detail. What’s arguably most revealing about that book is the essay I contributed, which for all intents and purposes is the book’s opening.

My essay follows in its entirety:

User agents: our eyes and ears in cyberspace

A user agent is nothing more than some entity that acts on behalf of users themselves.1 What this means is that it’s important to understand these users as well as their user agents. User agents are the tools we use to interact with the wealth of possibilities that exists on the Internet. They are like extensions of ourselves. Indeed, they are (increasingly literally) our eyes and ears in cyberspace.

Understanding users and their agents

Web developers are already familiar with many common user agents: web browsers! We’re even notorious for sometimes bemoaning the sheer number of them that already exist. Maybe we need to reexamine why we do that.

There are many different kinds of users out there, each with potentially radically different needs. Therefore, to understand why there are so many user agents in existence we need to understand what the needs of all these different users are. This isn’t merely a theoretical exercise, either. The fact is that figuring out a user’s needs helps us to present our content to that user in the best possible way.

Presenting content to users and, by extension, their user agents appropriately goes beyond the typical accessibility argument that asserts the importance of making your content available to everyone (though we’ll certainly be making that argument, too). The principles behind understanding a user’s needs are much more important than that.

You’ll recall that the Web poses two fundamental challenges. One challenge is that any given piece of content, a single document, needs to be presented in multiple ways. This is the problem that CSS was designed to solve. The other challenge is the inverse: many different kinds of content need to be made available, each kind requiring a similar presentation. This is what XML (and its own accompanying “style sheet” language, XSLT) was designed to solve. Therefore, combining the powerful capabilities of CSS and XML is the path we should take to understanding, technically, how to solve this problem and present content to users and their user agents.

Since a specific user agent is just a tool for a specific user, the form the user agent takes depends on what the needs of the user are. In formal use case semantics, these users are called actors, and we can describe their needs by determining the steps they must take to accomplish some goal. Similarly, in each use case, a certain tool or tools used to accomplish these goals defines what the user agent is in that particular scenario.2

A simple example of this is that when Joe goes online to read the latest technology news from Slashdot, he uses a web browser to do this. Joe (our actor) is the user, his web browser (whichever one he chooses to use) is the user agent, and reading the latest technology news is the goal. That’s a very traditional interaction, and in such a scenario we can make some pretty safe assumptions about how Joe, being a human and all, reads news.

Now let’s envision a more outlandish scenario to challenge our understanding of the principle. Joe needs to go shopping to refill his refrigerator and he prefers to buy the items he needs with the least amount of required driving due to rising gas prices. This is why he owns the (fictional) Frigerator2000, a network-capable refrigerator that keeps tabs on the inventory levels of nearby grocery stores and supermarkets and helps Joe plan his route. This helps him avoid driving to a store where he won’t be able to purchase the items he needs.

If this sounds too much like science fiction to you, think again. This is a different application of the same principle used by feed readers, only instead of aggregating news articles from web sites we’re aggregating inventory levels from grocery stores. All that would be required to make this a reality is an XML format for describing a store’s inventory levels, a bit of embedded software, a network interface card on a refrigerator, and some tech-savvy grocery stores to publish such content on the Internet.

In this scenario, however, our user agent is radically different from the traditional web browser. It’s a refrigerator! Of course, there aren’t (yet) any such user agents out crawling the Web today, but there are a lot of user agents that aren’t web browsers doing exactly that.

Search engines like Google, Yahoo!, and Ask.com are probably the most famous examples of users that aren’t people. These companies all have automated programs, called spiders, which “crawl” the Web indexing all the content they can find. Unlike humans and very much like our hypothetical refrigerator-based user agent, these spiders can’t look at content with their eyes or listen to audio with their ears, so their needs are very different from someone like Joe’s.

There are still other systems of various sorts that exist to let us interact with web sites and these, too, can be considered user agents. For example, many web sites provide an API that exposes some functionality as web services. Microsoft Word 2008 is an example of a desktop application that you can use to create blog posts in blogging software such as WordPress and MovableType because both of these blogging tools support the MetaWeblog API, an XML-RPC3 specification. In this case, Microsoft Word can be considered a user agent.

As mentioned earlier, the many incarnations of news readers that exist are another form of user agent. Many web browsers and email applications, such as Mozilla Thunderbird and Apple Mail, do this, too.4 Feed readers provide a particularly interesting way to examine the concept of user agents because there are many popular feed reading web sites today, such as Bloglines.com and Google Reader. If Joe opens his web browser and logs into his account at Bloglines, then Joe’s web browser is the user agent and Joe is the user. However, when Joe reads the news feeds he’s subscribed to in Bloglines, the Bloglines server goes to fetch the RSS- or Atom-formatted feed from the sourced site. What this means is that from the point of view of the sourced site, Bloglines.com is the user, and the Bloglines server process is the user agent.

Coming to this realization means that, as developers, we can understand user agents as an abstraction for a particular actor’s goals as well as their capabilities. This is, of course, an intentionally vague definition because it’s technically impossible for you, as the developer, to predict the features or capabilities present in any particular user agent. This is a challenge we’ll be talking about a lot in the remainder of this book because it is one of the defining characteristics of the Web as a publishing medium.

Rather than this lack of clairvoyance being a problem, however, the constraint of not knowing who or what will be accessing our published content is actually a good thing. It turns out that well-designed markup is also markup that is blissfully ignorant of its user, because it is solely focused on describing itself. You might even call it narcissistic.

Why giving the user control is not giving up

Talking about self-describing markup is just another way of talking about semantic markup. In this paradigm, the content in the fetched document is strictly segregated from its ultimate presentation. Nevertheless, the content must eventually be presented to the user somehow. If information for how to do this isn’t provided by the markup, then where is it, and who decides what it is?

At first you’ll no doubt be tempted to say that this information is in the document’s style sheet and that it is the document’s developer who decides what that is. As you’ll examine in detail in the next chapter, this answer is only mostly correct. In every case, it is ultimately the user agent that determines what styles (in which style sheets) get applied to the markup it fetches. Furthermore, many user agents (especially modern web browsers) allow the users themselves to further modify the style rules that get applied to content. In the end, you can only influence—not control—the final presentation.

Though surprising to some, this model actually makes perfect sense. Allowing the users ultimate control of the content’s presentation helps to ensure that you meet every possible need of each user. By using CSS, content authors, publishers, and developers—that is, you—can provide author style sheets that easily accommodate, say, 80 percent of the needs of 90 percent of the users. Even in the most optimistic scenario, edge cases that you may not ever be aware of will still escape you no matter how hard you try to accommodate everyone’s every need.5 Moreover, even if you had those kinds of unlimited resources, you may not know how best to improve the situation for that user. Given this, who better to determine the presentation of a given XML document that needs to be presented in some very specific way than the users with that very specific need themselves?

A common real-life example of this situation might occur if Joe were colorblind. If he were and he wanted to visit some news site where the links in the article pullouts were too similar a color to the pullout’s background, he might not realize that those elements are actually links. Thankfully, because Joe’s browser allows him to set up a web site with his own user style sheet, he can change the color of these links to something that he can see more easily. If CSS were not designed with this in mind, it would be impossible for Joe to personalize the presentation of this news site so that it would be optimal for him.

To many designers coming from traditional industries such as print design, the fact that users can change the presentation of their content is an alarming concept. Nevertheless, this isn’t just the way the Web was made to work; this is the only way it could have worked. Philosophically, the Web is a technology that puts control into the hands of users. Therefore, our charge as web designers is to judge different people’s needs to be of equal importance, and we can’t do this if we treat every user exactly the same way.6

  1. This is purposefully a broad definition because we’re not just talking about web pages here, but rather all kinds of technology. The principles are universal. There are, however, more exacting definitions available. For instance, the W3C begins the HTML 4 specification with some formal definitions, including what a “user agent” is. See http://www.w3.org/TR/REC-html40/conform.html. []
  2. In real use cases, technical jargon and specific tools like a web browser are omitted because such use cases are used to define a system’s requirements, not its implementation. Nevertheless, the notion of an actor and an actor’s goals are helpful in understanding the mysterious “user” and this user’s software. []
  3. XML-RPC is a term referring to the use of XML files describing method calls and data transmitted over HTTP, typically used by automated systems. It is thus a great example of a technology that takes advantage of XML’s data serialization capabilities, and is often thought of as a precursor to today’s Ajax techniques. []
  4. It was in fact the much older email technology from which the term user agent originated; an email client program is more technically called a mail user agent (MUA). []
  5. As it happens, this is the same argument open source software proponents make about why such open source software often succeeds in meeting the needs of more users than closed source, proprietary systems controlled solely by a single company with (by definition) relatively limited resources. []
  6. This philosophy is embodied in the formal study of ethics, which is a compelling topic for us as CSS developers, considering the vastness of the implications we describe here. []

Relationship Anarchy is not for fuckboys (or polyamorists)

This is really a great piece. Really great.

Real relationship anarchy is political. There’s just no way around it. How could it be otherwise, when it has roots in political anarchism? Relationship anarchy is not about getting your dick wet and looking cool while you do it. It’s not about sounding hipper than all the other polyamorists. You can do polyamory without any political consciousness whatsoever, and you can definitely do monogamy without it. You can be mono or poly in service of the capitalist hetero-patriarchy. Most people are. But you can’t do relationship anarchy without some awareness of the socio-political context you’re operating in and how you’re attempting to go against that grain out of a genuine belief in certain concrete principles. Those concrete principles are nothing so basic and shallow as “freedom” (to fuck) or “honesty.” They’re the kind of political principles that you can base an effective social movement on: a movement that offers an alternative to the capitalist hetero-patriarchy’s commodification of bodies, sex, and love; to the sabotage of female solidarity in friendship and romantic love; to neoliberal capitalism’s goal of the isolated couple and nuclear family; to the homophobia and toxic gender crap that prevents even nonsexual/nonromantic connection and intimacy between members of the same sex.

[…R]elationship anarchy resonates with me so much because its principles amount to a friendship ethic. The word “friendship” is widely used as a broad, vague, often meaningless term, but to me, friendship as this deep, intimate, important, positive bond between humans is described really well by the above set of principles. Friendship leans away from interpersonal coercion by default and can’t survive under the burden of it for long. Mutual aid and cooperation are in friendship’s very nature; you could even define friendship by those qualities: helping and supporting each other out of desire and not duty. And when friendship is committed, that commitment is done in a spirit of communication, not drawn up as a contract, which what marriage is: a legal contract binding romantic partners.

[…]

Being a relationship anarchist doesn’t mean you have to fuck more than one person at a time, because relationship anarchy is not about sexual nonmonogamy, even though it is usually inclusive of sexual nonmonogamy. Relationship anarchy is not polyamory sans the obvious hierarchy of romantic partners. It’s about doing relationships with community-centric values, not couple-centric values. Above all, it’s about relating to other human beings without coercive authority in play and without hierarchy in your group of relationships or in any relationship itself.

I fucking cringe when I read about polyamorous people defining “relationship anarchy” using nonhierarchal polyamory’s terms, just as I cringe when I hear stories of men pulling the RA card on their casual sexcapades. Not just because of how unbelievably inaccurate, apolitical, and ignorant it is but because in both cases, “relationship anarchy” is falsely used to describe the kind of romance supremacist, friendship-excluding, sex-centric lifestyles that are diametrically opposed to authentic relationship anarchy.

The capitalist, heteronormative, patriarchal state promotes relationship hierarchies based on romance supremacy and amatonormativity. It endorses treating sex like a product, protects heterosexual men in their consumption of female bodies as sexual objects, promotes the buying and selling of women’s sexualized bodies. The capitalist heteronormative patriarchal state WANTS you to invest all of your free time, energy, resources, and emotion into romantic couplehood, into marriage, into sex. It WANTS you to devalue friendship, to stay isolated from everyone who isn’t your romantic partner, to be a self-interested individual with no ties or commitments to anyone but your spouse. Why? Because friendship could lead to community and community could lead to collective political action, which could turn into revolution. And because friendship and community are almost impossible to commodify and harness for the purpose of feeding into the capitalist economy and creating bigger profits for the wealthy elite. Sex and romance make rich people money all day every day. They sell it to you every waking moment. They can’t use friendship and community to sell you shit. They can’t turn friendship and community into products. If they could, they would’ve spent the last century doing so, instead of teaching the public that friendship is worthless and money is more important than community.

So don’t tell me that you’re entitled to call your polyamory or your casual sex “relationship anarchy,” as you conduct your social life with anti-anarchism principles and the same amatonormativity that all the coupled up monogamists preach and believe in. Don’t tell me you’re a “relationship anarchist” when you don’t give a fuck about friendship or community or political resistance, just sex and romance and your freedom to be nonmonogamous.

Relationship anarchy is not a cover for fuckboys. And it is not nonhierarchical polyamory.

The First Rule of Human Rights is to Never Trust Legal Systems Alone to Protect Human Rights

From the Tor Project’s blog today come “10 Principles for User Protection.” The very first principle is “Do not rely on the law to protect systems or users.” Tor Project developer Mike Perry:

Unfortunately, it is […] likely that in the United States, current legal mechanisms, such as NSLs and secret FISA warrants, will continue to target the marginalized. This will include immigrants, Muslims, minorities, and even journalists who dare to report unfavorably about the status quo. History is full of examples of surveillance infrastructure being abused for political reasons.

[…W]e decided to enumerate some general principles that we follow to design systems that are resistant to coercion, compromise, and single points of failure of all kinds, especially adversarial failure. We hope that these principles can be used to start a wider conversation about current best practices for data management and potential areas for improvement at major tech companies.

Mike Perry’s full list of 10 principles:

  1. Do not rely on the law to protect systems or users.
  2. Prepare and test policy commentary for quick response to crisis.
  3. Only keep the user data that you currently need.
  4. Give users full control over their data.
  5. Allow pseudonymity and anonymity.
  6. Encrypt data in transit and at rest.
  7. Invest in cryptographic R&D to replace non-cryptographic systems.
  8. Eliminate single points of security failure, even against coercion.
  9. Favor open source and enable user freedom.
  10. Practice transparency: share best practices, stand for ethics, and report abuse.

It’s genuinely refreshing to see this sort of thing coming from techies. The danger, of course, is in failing to point out that this is the sort of stuff the marginalized groups Mike Perry mentions have already been saying for generations. This is not a “pat ourselves on the back” moment, white techies. This is a “seriously, what the fuck is wrong with us that it took a Trump electoral victory to get vocal about this super basic stuff. (Spoiler: the answer is white supremacist capitalist patriarchy and all that it entails.)

Image courtesy CurrentAffairs.org.

Defense Against the Dark Arts and Mr. Robot’s Netflix ‘n’ Hack (rebooted) at Recurse Center

Last Saturday, I hosted another Mr. Robot’s Netlfix ‘n’ Hack session at the Recurse Center. I’ve been doing these weekly for three weeks now (here is a link to last week’s), and this time was the first week when the new set of batchlings were in the space. To better include them, we rebooted the series and re-screened the first episode of the show.

Last week was also the national elections in the United States. The outcome of that election was that Donald Drumpf was voted into office as President and over the course of the week he began selecting self-described white nationalists into positions of power in his upcoming administration. In light of these events, I’ve spent most of my waking hours fielding incoming requests for help about “what to do” in a number of different areas.

This election changes very little for me, personally. I have already been aware that we live in a police state, controlled by fascists and white supremacists. I’ve been preparing for worse and prepared for this eventuality for a long time. What this election changed, for me, was the fact that everyone around me was suddenly treating me like the things I was doing made sense, rather than being treated like some overly paranoid weirdo. So, that’s nice.

This also means that I’ve been getting lots of questions about digital security, privacy, anti-surveillance and censorship circumvention techniques. Y’know, commsec, opsec, and security culture stuff. In light of these events, I decided to kick off the new round of Mr. Robot’s Netflix ‘n’ Hack sessions with a whirlwind crash course of the defensive aspects of computer security techniques. Basically, I ran a very compressed CryptoParty.

Someone suggested that we call this a “Defense Against the Dark Arts” session, and I liked the analogy well enough to take the suggestion. Like the other Mr. Robot’s Netflix ‘n’ Hack nights, this one was well attended. We filled the session room to the max. It was probably between 15 or 20 of us to start with, and then it dwindled down to about 10 for the actual screening and post-screening discussion.

In my paradoxical, eternal optimism, I somehow had the idea that we could complete this lightning CryptoParty, which included install fests of Signal and the TorBrowser, within thirty minutes. I was wrong; we went over by about 30 minutes, and the screening of Mr. Robot started late. But so many (all?) of the attendees got set up with Signal and the TorBrowser, and that was really great.

As promised, I wanted to make sure that everyone had links to the reference guides and other resources presented in this defense-focused super quick “Defense Against the Dark Arts” session. To do so, I sent a follow up email with links to those resources. A portion of that email is presented verbatim, here:

In addition to these primers and the links included in them, additional useful resources are:

  • PrivacyTools.io – Simply start at the top and read down the page. This is as guided an introduction to privacy issues and what to do about them as it gets.
  • EFF’s Surveillance Self-Defense Handbook – A thorough treatment of anti-surveillance software, along with tutorials for how to get them installed and working on your system.
    • If you’re feeling overwhelmed by all of this already, consider spending just a little bit of time to walk yourself through the SSD’s Security Starter Pack.
  • PRISM-Break! – An overwhelmingly large digital reference card for all the privacy-enhancing tools available to you for a particular platform, purpose, or protocol. Be cautious here, some of the listed tools are experimental, not audited, or worse.
  • Security in a Box – A slightly dated, but still generally solid, resource website featuring much of the same content as the EFF’s Surveillance Self-Defense guide, but with a regularly updated blog. Created and maintained by the TacticalTech.org collective.

There’s a ton of stuff in there, and learning about how to defend yourself from governments, corporations, or malicious individuals on the Internet is more involved than simply picking up one or two tools. But a few well-chosen tools does give you a really, really good start. Taking some time to familiarize yourself with the above guides will hopefully help you become even more capable.

Following the install fest, we finally screened Episode 1 of Mr. Robot again. I already posted our list of tools, techniques, and procedures from the first week, and this didn’t change much. With a different audience, however, the discussion we had post-show did change quite a bit.

Unlike the first week, when people were interested in Tor onion routing and the dark/deep Web, this time people wanted to know about social engineeering and password cracking. So our discussion focused on sharing resources for social engineering, and books such as Kevin Mitnick’s “Art of Deception” and Robert Cialdini’s “Influence: The Psychology of Persuasion” came up. (So did Freedom Downtime, a documentary about Kevin Mitnick’s persecution by the FBI.)

After that, we also talked about the mechanics of password cracking. I gave an overview of the process from exploitation to data exfiltration, but focused on using the hash-“cracking” (really guessing) tool called Hashcat to demo finding the plaintext of hashed passwords. A lot of time in the discussion was spent showing the practicalities of how hashing (i.e., “trap door functions” or “one-way functions”) works by using md5 and shasum commands on the command line. Then I showed the syntax of the hashcat command to run a dictionary attack (with the infamous “rockyou” wordlist) against simple unsalted MD5 hashed passwords from a very old data dump file (hashcat -a 0 md5sums.txt wordlists/rockyou.txt). Have another look at the SecLists project on GitHub to find wordlists like these useful for password cracking.

We also talked about some common mistakes that application developers make when trying to secure their applications, and that users often make when trying to secure their passwords:

  • Try to generate per-user, instead of per-site, salt.
  • Don’t just double-hash passwords (i.e., hash(hash($password)), because this reduces the entropy used as input for the final result, and increases the chance of hash collisions. Instead, iterate the hash function by concatenating the original input (or a salt, or something) back into the resulting hash as well (i.e., hash($salt . hash($salt . $password))). This iteration also slows down an offline attack, but again, only if done correctly in code.
  • Don’t use multiple dictionary words as a password, even a long one, because these are easy to guess. For instance, contrary to popular belief, “correct battery horse staple” is a bad password, not because it lacks entropy, but because all of its components are likely to be in an attacker’s wordlist. Use a password manager and generate random passwords, instead.

Next week, we’ll return to our regularly-scheduled Mr. Robot’s Netflix ‘n’ Hack format: a demo/show-and-tell/exercise of a tool, technique, or procedure (TTP) featured in Episode 1, followed by a screening of Episode 2, and ending with a discussion about Episode 2’s TTPs. I thought that since we’ve done Onion services already, I would change gears and show an online attack similar to some of the ones Eliot used in the show by demoing a tool called Hydra. Another participant also said they may demo hiding data inside of audio CDs using a steganographic tool called DeepSound, also featured in episode 1.

However, this upcoming Saturday is a number of anti-Trump and anti-surveillance organizing meetings and workshops, so I may have to skip this week’s Mr. Robot’s Netflix ‘n’ Hack myself. If not, we may switch to Sunday just for the week. Time will tell. :)

Ethics Refactoring: An experiment at the Recurse Center to address an ACTUAL crisis among programmers

Ethics Refactoring session, part 1

Ethics Refactoring session, part 2

I’ve been struggling to find meaningful value from my time at the Recurse Center, and I have a growing amount of harsh criticism about it. Last week, in exasperation and exhaustion after a month of taking other people’s suggestions for how to make the most out of my batch, I basically threw up my hands and declared defeat. One positive effect of declaring defeat was that I suddenly felt more comfortable being bolder at RC itself; if things went poorly, I’d just continue to distance myself. Over the weekend, I tried something new (“Mr. Robot’s Netflix ‘n’ Hack”), and that went well. Last night, I tried another, even more new thing. It went…not badly.

Very little of my criticism about RC is actually criticism that is uniquely applicable to RC. Most of it is criticism that could be levied far more harshly at basically every other institution that claims to provide an environment to “learn to code” or to “become a dramatically better programmer.” But I’m not at those other institutions, I’m at this one. And I’m at this one, and not those other ones, for a reason: Recurse Center prides itself on being something very different from all those other places. So it’s more disappointing and arguably more applicable, not less, that the criticisms of RC that I do have feel equally applicable to those other spaces.

That being said, because no other institution I’m aware of is structured quite like the Recurse Center is, the experiments I tried out this week after declaring a personal “defeat” would not even be possible in another venue. That is a huge point in RC’s favor. I should probably write a more thorough and less vague post about all these criticisms, but that post is not the one I want to write today. Instead, I just want to write up a bit about the second experiment that I tried.

I called it an “ethics refactoring session.” The short version of my pitch for the event read as follows:

What is the operative ethic of a given feature, product design, or implementation choice you make? Who is the feature intended to empower or serve? How do we measure that? In “Ethical Refactoring,” we’ll take a look at small part of an existing popular feature, product, or service, analyze its UX flow/implementation/etc. from the point of view of different users, and discuss the ethical considerations and assumptions implicit in the developer’s design choices. Next we’ll choose a different ethic to accentuate and re-design the same feature/product/service from a different ethical perspective and see how this affects our development process and design choices.

Basically, I want there to be more conversations among technologists that focus on why we’re building what we’re building. Or, in other words:

Not a crisis: not everybody can code.

Actually a crisis: programmers don’t know ethics, history, sociology, psychology, or the law.

https://twitter.com/bmastenbrook/status/793104148732469248

Here’s an idea: before we teach everybody to code, how about we teach coders about the people whose lives they’re affecting?

https://twitter.com/bmastenbrook/status/793104080214392832

Ethics is one of those things that are hard to convince people with power—such as most professional programmers, especially the most “successful” of them—to take seriously. Here’s how Christian Rudder, one of the founders of OkCupid and a very successful Silicon Valley entrepreneur, views ethics and ethicists:

Interviewer: Have you thought about bringing in, say, like an ethicist to, to vet your experiments?

Christian Rudder: To wring his hands all day for a hundred thousand dollars a year?

Interviewer: Well, y’know, you could pay him, y’know, on a case by case basis, maybe not a hundred thousand a year.

CR: Sure, yeah, I was making a joke. No we have not thought about that.

The general attitude that ethics are just, like, not important is of course not limited to programmers and technologists. But I think it’s clear why this is more an indictment of our society writ large than it is any form of sensible defense for technologists. Nevertheless, this is often used as a defense, anyway.

One of the challenges inherent in doing something that no one else is doing is that, well, no one really understands what you’re trying to do. It’s unusual. There’s no role model for it. Precedent for it is scant. It’s hard to understand unfamiliar things without a lot of explanation or prior exposure to those things. So in addition to the above short pitch, I wrote a longer explanation of my idea on the RC community forums:

Hi all,

I’d like to try an experiment that’s possibly a little far afield from what many folks might be used to. I think this would be a lot more valuable with involvement from the RC alumni community, so I’m gonna make a first attempt this upcoming Tuesday, November 1st, at 6:30pm (when alumni are welcome to stop by 455 Broadway).

And what is this experiment? I’m calling it an “Ethics Refactoring” session.

In these sessions, we’ll take a look at a small part of an existing popular feature, product, or service that many people are likely already familiar with (like the Facebook notification feed, the OkCupid “match percentage” display, and so on), analyze its UX flow/implementation/etc. from the point of view of different users, and discuss the ethical considerations and assumptions implicit in the developer’s design choices. Next we’ll choose a different ethic to accentuate and re-design the same feature/product/service taking a different ethical stance and see how this affects our development process and design choices.

This isn’t about “right” or “wrong,” “better” or “worse,” nor is it about making sure everyone agrees with everyone else about what ethic a given feature “should” prioritize. Rather, I want this to be about:

  • practicing ways of making the implicit values decisions process that happens during product/feature development and implementation more explicit,
  • gaining a better understanding of the ethical “active ingredient” in a given feature, product design, or implementation choice, and
  • honing our own communication skills (both verbally and through our product designs) around expressing our values to different people we work with.

I know this sounds a bit vague, and that’s because I’ve never done anything like this and don’t exactly know how to realize the vision for a session like that’s in my head. My hope is that something like the above description is close enough, and intriguing enough, to enough people (and particularly to the alumnus community) that y’all will be excited enough to try out something new like this with me.

Also, while not exactly what I’m talking/thinking about, one good introduction to some of the above ideas in a very particular area is at the http://TimeWellSpent.io website. Take a moment to browse that site if the above description leaves you feeling curious but wary of coming to this. :)

I think “Ethics Refactoring” sessions could be useful for:

  • getting to know fellow RC’ers who you may not spend much time with due to differences in language/framework/platform choice,
  • gaining insight into the non-obvious but often far-reaching implications of making certain design or implementation choices,
  • learning about specific technologies by understanding their non-technological effects (i.e., learning about a class of technologies by starting at a different place than “the user manual/hello world example”)
  • having what are often difficult and nuanced conversations with employers, colleagues, or even less-technical users for which understanding the details of people’s life experiences as well as the details of a particular technology is required to communicate an idea or concern effectively.

-maymay

And then when, to my surprise, I got a lot more RSVPs than I’d expected, I further clarified:

I’m happy to note that there are 19(!!!) “Yes” RSVP’s on the Zulip thread, but a little surprised because I did not have such a large group in mind when I conceived this. Since this is kind of an experiment from the get-go, I think I’m going to revise my own plan for facilitating such a session to accommodate such a relatively large group and impose a very loose structure. I also only allotted 1 hour for this, and with a larger group we may need a bit more time?

With that in mind, here is a short and very fuzzy outline for what I’m thinking we’ll do in this session tomorrow:

  • 5-10min: Welcome! And a minimal orientation for what we mean when we say “ethic” for the purpose of this session (as in, “identify the operative ethic of a given feature”). Specifically, clarify the following: an “ethic” is distinct from and not the same thing as an “incentive structure” or a “values statement,” despite being related to both of those things (and others).
  • 15-20min: Group brainstorm to think of and list popular or familiar features/products/services that are of a good size for this exercise; “Facebook” is too large, “Facebook’s icon for the Settings page” is too small, but “Facebook’s notification stream” is about right. Then pick two or three from the list that the largest number of people have used or are familiar with, and see if we can figure out what those features’ “operative ethics” can reasonably be said to be.
  • 15-20min: Split into smaller work-groups to redesign a given feature; your work-groups may work best if they consist of people who 1) want to redesign the same given feature as you and 2) want to redesign to highlight the same ethic as you. I.e., if you want to redesign Facebook’s notification stream to highlight a given ethic, group with others who want to work both on that feature AND with towards the same ethic. (It is okay if you have slight disagreements or different goals than your group-mates; the point of this session is to note how ethics inform the collaborative process, not to produce a deliverable or to write code that implements a different design.)
  • 10-15min: Describe the alternate design your group came up with to the rest of the participants, and ask/answer some questions about it.

This might be a lot to cram into 1 hour with 19+ people, but I really have no idea. I’m also not totally sure this will even “work” (i.e., translate well from my head to an actual room full of people). But I guess we’ll know by tomorrow evening. :)

The session itself did, indeed, attract more attendees than I was originally expecting. (Another good thing about Recurse Center: the structure and culture of the space makes room for conversations like these.) While I tried to make sure we stuck to the above outline, we didn’t actually stick strictly to it. Instead of splitting into smaller groups (which I still think would have been a better idea), we stayed in one large group; it’s possible that 1 hour is simply not enough time. Or I could have been more forceful in facilitating. I didn’t really want to be, though; I was doing this partially to suss out who I didn’t yet know “in the RC community” who I could mesh with as much as I was doing it to provide a space for the current RC community to have these conversations or expose them to a way of thinking about technology that I regularly practice already.

The pictures attached to this post are a visual record of the two whiteboards “final” result from the conversation. The first is simply a list of features (“brainstorm to think of and list popular features”), and included:

  • Facebook’s News Feed
  • Yelp recommendation engine
  • Uber driver rating system
  • Netflix auto-play
  • Dating site messaging systems (Tinder “match,” OkCupid private messages, Bumble “women message first”)

One of the patterns throughout the session that kept happening was that people seemed reticent or confused at the beginning of each block (“what do you mean ethics are different from values?” and “I don’t know if there are any features I can think of with these kinds of ethical considerations”) and yet by the end of each block, we had far, far more relevant examples to analyze than we actually had time to discuss. I think this clearly reveals how under-discussed and under-appreciated this aspect of programming work really is.

The second picture shows an example of an actual “ethical refactoring” exercise. The group of us chose to use Uber’s driver rating system as the group exercise, because most of us were familiar with it and it was a fairly straightforward system. I began by asking folks how the system presented itself to them as passengers, and then drawing simplified representations of the screens on the whiteboard. (That’s what you see in the top-left of the second attached image.) Then we listed out some business cases/reasons for why this feature exists (the top-right of the second attached image), and from there we extrapolated some larger ethical frameworks by looking for patterns in the business cases (the list marked “Ethic???” on the bottom-right of the image).

By now, the group of us had vastly different ideas about not only why Uber did things a certain way, but also about what a given change someone suggested to the system would do, and the exercise stalled a bit. I think this in itself revealed a pretty useful point: a design choice you make with the intention of having a certain impact may actually feel very different to different people. This sounds obvious, but actually isn’t.

Rather than summarize our conversation, I’ll end by listing a few take-aways that I think were important:

  • Ethics is a systems-thinking problem, and cannot be approached piecemeal. That is, you cannot make a system “ethical” by minor tweaks, such as by adding a feature here or removing a feature there. The ethics of something is a function of all its component’s and the interactions between them, both technical and non-technical. The analogy I used was security: you cannot secure an insecure design by adding a login page. You have to change the design, because a system is only as secure as its weakest link.
  • Understand and appreciate why different people might look at exactly the same implementation and come away feeling like a very different operative ethic is the driving force of that feature. In this experimental session, one of the sticking points was the way in which Uber’s algorithm for rating drivers was considered either to be driven by an ethic of domination or an ethic of self-improvement by different people. I obviously have my own ideas and feelings about Uber’s rating system, but the point here is not that one group is “right” and the other group is “wrong,” but rather that the same feature was perceived in a very different light by different sets of people. For now, all I want to say is notice and appreciate that.
  • Consider that second-order effects will reach beyond the system you’re designing and impact people who are not direct users of your product. This means that designers should consider the effects their system has not just on their product’s direct user base, but also on the people who can’t, won’t, or just don’t use their product, too. Traditionally, these groups of people are either ignored or actively “converted” (think how “conversions” means “sales” to business people), but there are a lot of other reasons why this approach isn’t good for anyone involved, including the makers of a thing. Some sensitivity to the ecosystem in which you are operating is helpful to the design process, too (think interoperability, for example).
  • Even small changes to a design can massively alter the ethical considerations at play. In our session, one thing that kept coming up about Uber’s system is that a user who rates a driver has very little feedback about how that rating will affect the driver. A big part of the discussion we had centered on questions like, “What would happen if the user would be shown the driver’s new rating in the UI before they actually submitted a given rating to a given driver?” This is something people were split about, both in terms of what ethic such a design choice actually mapped to as well as what the actual effect of such a design choice would be. Similar questions popped up for other aspects of the rating system.
  • Consider the impact of unintended, or unexpected, consequences carefully. This is perhaps the most important take-away, and also one of the hardest things to actually do. After all, the whole point of an analysis process is that it analyzes only the things that are captured by the analysis process. But that’s the rub! It is often the unintentional byproducts, rather than the intentional direct results, of a system that has the strongest impact (whether good or bad) of successful systems. As a friend of mine likes to say, “Everything important is a side-effect.” This was made very clear through the exercise simply by virtue of the frequency and ease with which a suggestion by one person often prompted a different person to highlight a likely scenario in which that same suggestion could backfire.

I left the session with mixed feelings.

On the one hand, I’m glad to have had a space to try this out. I’m pleased and even a little heartened that it was received so warmly, and I’m equally pleased to have been approached by numerous people afterwards who had a lot more questions, suggestions, and impressions to share. I’m also pleased that at no point did we get too bogged down in abstract, philosophical conversations such as “but what are ethics really?” Those are not fruitful conversations. Credit to the participants for being willing to try something out of the ordinary, and potentially very emotionally loaded, and doing so with grace.

On the other hand, I’m frustrated that these conversations seem perpetually stuck in places that I feel are elementary. That’s not intended as a slight against anyone involved, but rather as an expression of loneliness on my part, and the pain at being reminded that these are the sorts of exercises I have been doing by myself, with myself, and largely for myself for long enough that I’ve gotten maddeningly more familiar with doing them than anyone else that I regularly interact with. If I had more physical, mental, and emotional energy, and more faith that RC was a place where I could find the sort of relationships that could feasibly blossom into meaningful collaborations with people whose politics were aligned with mine, then I probably would feel more enthused that this sort of thing was so warmly received. As it stands though, as fun and as valuable as this experiment may have been, I have serious reservations about how much energy to devote to this sort of thing moving forward, because I am really, really, really tired of making myself the messenger, or taking a path less traveled.

Besides, I genuinely believe that “politicizing techies” is a bad strategy for revolution. Or at least, not as good a strategy as “technicalizing radicals.” And I’m just not interested in anything short of revolution. ¯\_(ツ)_/¯