39: I Carry A Grudge

This book won’t be in progress long. I hope.

These block lists are distributed via DNS, and are called DNS Block Lists (DNSBL). (You’ll also see Reputation Block Lists, or RBLs, but that term is trademarked.) By refusing all mail from hosts on a reliable block list, you immediately stop the overwhelming majority of spam.

That’s the catch: a reliable block list.

This is the Internet. Just as anyone can run a web site, anyone can publish a block list—and you can’t tell by the name. These projects were overwhelmingly founded by infuriated geeks, and often grew beyond their original intent and scale. “Spam Eating Monkey” is a highly trustworthy list provider, while some official-looking lists should more properly be named “HTML Email Is Immoral And I Carry A Grudge.”

The scheduling on RYOMS is gonna be weird due to outside forces I can’t control, but I’ll get it in your hands as soon as possible.

Vultr Just Betrayed Us

I suppose the hip kids would say this is enshittification, but it’s certainly a betrayal.

According to their new Terms of Service:

You hereby grant to Vultr a non-exclusive, perpetual, irrevocable, royalty-free, fully paid-up, worldwide license (including the right to sublicense through multiple tiers) to use, reproduce, process, adapt, publicly perform, publicly display, modify, prepare derivative works, publish, transmit and distribute each of your User Content, or any portion thereof, in any form, medium or distribution method now known or hereafter existing, known or developed, and otherwise use and commercialize the User Content in any way that Vultr deems appropriate, without any further consent, notice and/or compensation to you or to any third parties, for purposes of providing the Services to you.

This is unacceptable. No other hosting company does this.

The TLDR on the side is deceitful. They say that we own our stuff. Fine. The fine print declares that we license our stuff to them, for full exploitation, without compensation.

I have not agreed to those ToS. Fortunately, I can migrate off their systems without console access, so I do not have to agree. If you use vultr, I suggest you do the same. Also contact them through their contact page and state your refusal. I’m told you can cancel via their page without logging in, but haven’t yet tried it.

I am now investigating alternatives for hosting FreeBSD and OpenBSD systems. Preferably that take custom installs.

Shopify vs Woocommerce for Author Bookstores

The hot new idea in writer circles is the author-owned bookstore. According to the Wayback Machine I’ve had my author-owned bookstore since 17 May 2013, so you can imagine I’m fully on board with this. This store now accounts for 35% of my income, more than Amazon, so it’s a critical part of my business.

When folks look at building a store, though, they’re immediately confronted with choosing a platform. There’s two major platforms: Shopify and Woocommerce. Which should you pick? The costs are comparable. The skill level to use either is about the same. They then commit a grievous error and ask me for my opinion.

I will always advise Woocommerce. Always.

When I say this, many authors immediately jump up and say “I tried Woo and it sucked, Shopify works better!” I would reframe that. “The first store I built sucked, the second store I built is much better!” The first book you wrote probably sucked, too. The first iteration of my Woo store also sucked. I look at a lot of author bookstores and immediately say, “Oh sweetie, no, this is not how you do it.” Some of them hired ‘technical’ people to build the store. Technical people are like literary agents: there is no qualifying exam, they act in their own interests according to their own biases, and you can’t afford a good one. Even a disaster is educational, though. Your failed first store taught you how to build a second store containing less suck. (It’s amazing how many writers are willing to spend years noodling over a manuscript, but expect their first store to work perfectly on their first try.)

My motivation for standing up my own bookstore is to declare independence from any outside channel. A decade ago, Amazon was the majority of my income. Making my books available in all channels increased the number of readers I drew while reducing my dependence on Amazon. Adding my own bookstore reduced my dependence on anyone. Yes, I use outside components and services, but every one of those parts can be replaced. Why would I replace a dependency on Amazon with a dependence on Shopify?

Cory Doctorow recently made a big splash with the word enshittifcation. He describes it as the process where an Internet company starts off being useful, becomes powerful, then starts squeezing values out of suppliers and then customers. It’s standard business practice at Internet scale. Ford and General Electric would totally do the same, if federal regulation didn’t prevent it. Amazon exists with very little federal regulation.

I prefer a simpler word: betrayal. It’s harsh, yes, but it fits.

Internet companies betray their user every day. Glassdoor sold itself as a place to anonymously rat out employers. Now the company wants to monetize its users, and is attaching real names to user profiles. While I could laugh and say You idiots trusted an Internet company, what did you expect? this will literally destroy lives and careers. Findaway Voices sold itself as one service, got bought by Spotify, changed its ToS to become an IP-pillaging company, and appeared to back down under protest. People thought it was a victory. It was not. We lost. We lost huge. It was an absolute rout. Compare their current terms of service to the pre-Spotify terms of service. Now consider what a minor update like “we added three carefully-chosen words to the ToS, they’re harmless legal boilerplate, we promise” could do. I guarantee that Findaway’s lawyers knew what words they would add and where they would put them before releasing these “friendly” Terms of Service. In Reddit’s quest to raise money, it trashed the people who create its value. All that’s only in the last year.

Betrayal is the Internet’s business model.

Businesses look out for their own interests. If a business believes it exists solely to maximize shareholder value, and has no legal, regulatory, or competitive barriers, it will become invaluable and then betray you.

What happens if either Shopify or Woo betrays me?

The Shopify software and all hosting thereof is fully controlled by the Shopify company. When folks tell me that they’re lovely people, what I hear is “the company’s current management is lovely, but the owners have decided to not betray their users. Yet.” A third of my income is at risk. If they become a problem I must hurry up and find a new store system, without advance warning, right freaking now.

The Woo software is freely available under a permissive license, and is hosted on a WordPress site I pay for. There is a Woocommerce company, yes, but they make money by selling support and add-ons. The actual software cannot be taken away. Yes, I buy some Woo plugins. There’s a super healthy plugin marketplace. If Woo Inc betrayed me, I’d have time to switch. After all, I have all the code. It’s running on my server. Betrayal would vex me, and I’d feel obliged to rant and rave. Also, Woo is a fork of Jigoshop. If Woo betrays its users, any number of those outside firms would leap up and happily take their place. And Woo knows it. That’s how they replaced Jigoshop. One day they’ll get bought and the new owners will go for a betrayal anyway, though.

When Shopify inevitably betrays me, over a third of my income is at risk.

When Woocommerce inevitably betrays me, I am not at risk. I’m merely pissed off.

Either way, you need to experiment with your store. Polish it. Experiment. Some of those experiments will be complete failures. Some will succeed worrying well. It’s all about what your readers want. Give readers a seamless buying experience, and expect that it’s gonna take a while.

38: A Fanatical Devotion to Magic Mushrooms

Today’s snippet is from a new Rats’ Man’s Lackey tale.

Whackadoo Manor was least creepy at sunrise.

The sideways light highlighted the bright white gingerbread scrollwork that framed the broad full-circle porch and surrounded the windows and eaves. The antique glass in the windows rippled into rainbows that shifted with my every step. The place always looked like a talented Victorian carpenter with a fanatical devotion to magic mushrooms had been given a lifetime supply of wormwood-laced absinthe and all the lumber he could scroll-saw, but this morning the sprawling mansion looked like it might actually be large enough to hold half of the rooms within. Even the leaded-glass conservatory loomed along the side opposite the driveway, and that place almost never deigned to show up.

It might have looked homey, if the edge of my vision hadn’t kept catching extra colors in the rainbows.

I shouldn’t have favorite children, but the Rats’ Mans’ Lackey tales are some of my favorites.

“Run Your Own Mail Server” off for tech review

I just finished the first draft of “Run Your Own Mail Server.” Copies have gone to my volunteer tech reviewers and my sponsors.

When I need to mass-mail my sponsors, I normally can only mail a dozen or so at a time without making Google and Microsoft throw a fit. This time, I mailed all 147 sponsors at once. None of the big providers even looked askance.

Requested feedback by 15 April, just to make tax day extra special. That’ll let me open the Kickstarter by Penguicon.

37: Send Physical Postcards

Still focusing on Run Your Own Mail Server, and so close to the end I could spit on it.

Remember, we’re talking about a protocol that doesn’t require validating certificate authenticity. The standards for TLS in email are low, no matter how we might wish otherwise.

So, what do we do?

One group of mail operators prioritizes broad compatibility. They still allow deprecated TLS and weak ciphers because they’re better than plain text. Postfix ships with this configuration, because otherwise people complain. Another group prioritizes transport integrity. They encourage DANE (or more recently, MTA-STS) and reject both plain text and any version of TLS other than 1.2 and 1.3. A third group keeps reminding everyone that email is not secure, has never been secure, and if you want privacy you should send physical postcards. You must understand which group you fall in, and recognize that other groups have different requirements.

Performing MTA-STS lookups is the last technical topic I must write about, then it’s social stuff I can blast out in a day.

February’s Fantabulous Sausage

(This post went to my Patronizers at the beginning of February, and the public at the beginning of March.)

Last month, I made plans. Immediately thereafter, life gave me a surprise.

Since my last doc visit in June, seems my blood pressure has doubled. It’s been 80/110 my whole life. Suddenly it went to 130/190.

What changed?

I had my first bout of covid, that’s what.

Fortunately high blood pressure is a well understood problem. I am resistant to the medication, but it’s been dragged out of “holy crap your brain is gonna explode” territory down into “well, that ain’t right” and we have hope it’ll reach normal before too much longer. The long term impact is real. The effort to arrange my life so I can be properly productive remains in place, though. I’ve had to slow down a bit. The drop in blood pressure has left me with orthostatic hypotension, which is great fun for a martial artist who specializes in throws and falls. Been focusing on tai chi and physical relaxation.

In some ways, that physical relaxation will be most difficult. The hip-height split keyboard works well for pure word production. I’m using them right now. I carefully placed them at a height where they only work if I relax my shoulders. Using them involves a tiny bit of knee flexion, but that’s actually preferred. It ensures I don’t lock my knees for eight hours straight. The problem is, “relaxed arm dangle” height corresponds with “tense your shoulders the way you shouldn’t, and hunch the way you also shouldn’t.” Martial arts practice has given me a decent posture, which in turn has helped me avoid myriad health problems caused by desk jobs, and I need to maintain that.

So: NO HUNCHING.

I’m still planning to publish a crapload of books this year, though. I might publish more than were on last month’s plan, if certain things work out. I totally forgot about one book that’s damn near ready to go to production. I need to finish the mail book first.

And how goes the mail book?

It’s my only writing project at this time. I’m cranking on rspamd. Rspamd is a seriously complicated program, mainly because people are complicated. It requires tuning. Some useful features are disabled for privacy reasons, and enabling them means explaining more than I had hoped. Rspamd has no single consistent management interface: some tasks can only be accomplished in the web interface, while others are limited to the command line. Technically, fetch http://localhost:11334/symbols is on the command line, but it gives you a file of compact JSON. Trying to grep that for a symbol name is not productive. I’ve been pointed at jq as a solution, but that’s another daft thing I need to figure out. It’s all a process of figuring out what I need to explain so I can explain what I need to explain, sigh. I’m spending the time to dig up solutions for command-line-based management wherever possible.

I’m still hoping to finish the first draft before family matters drag me to Las Vegas mid-February. I don’t know if I can do it. The blood pressure meds leave me a little woozy. Not sure if it’s because of the meds themselves, or if I’m acclimated to high pressure and returning to normal is destabilizing. Either way, it’s costing me time. Dealing with spam takes time and experience. While I use rspamd elsewhere, never before have I used it methodically. But once I finish that, the rest should be a matter of spewing the words onto the paper.

At least I have my email entirely switched over to the shiny new host, which is a good line to cross.

If you happen to live in Las Vegas, by the way, you’re welcome to have gelato with me on the 17th. 7PM. Details will be posted on my blog.

And if you don’t follow my so-called blog, I finally have an index of all my titles. It’s sortable by title, year of publication, fiction or non-fiction, and even length. I don’t know why you’d want to sort by length, but it was easier to leave that option than turn it off. Building this served as a double-check of all the titles on my site. No, I didn’t do the work myself: this is the first public-visible project completed by my Competent Assistant, and it’s something folks have begged for for years. I wasn’t ignoring y’all, I just didn’t have the information.

Dang. I’m hunching again. Stop it, dude.

I’ll blame WordPress. Because blaming wordpress is not always correct, but it is never wrong. Not as fiercely “never wrong” as always blaming Oracle, but never wrong.

I submitted a few talks to my usual conferences, Penguicon and BSDCan. Some of them involve email. It gives me a deadline for getting the book in people’s hands. If I can’t manage print by then, I at least want the Kickstarter going for Penguicon. Or a Kickstarter. I’m running enough of the damn things.

That’s all the news. Seriously. No big business decisions, no projects ready to announce. I’m just keeping on.

36: The Thirty Ton Replacement

As sort-of expected, the last chapter of Run Your Own Mail Server is getting split into tech detritus and social detritus. I’ll probably split this into two chapters.

Spambots all choose shortcuts. Postscreen catches many of them. Greylisting plays against others. A popular shortcut many spambots choose is to ignore backup MX records. These spambots attempt to contact the target’s primary MX, but if that fails they proceed to the next victim.

Remember, the SMTP protocol comes from an age when “high availability” meant buying expensive machines and “virtualization” meant hosting more than one domain on a machine. When hardware failed, it might remain offline for several days before the thirty-ton replacement got shipped in on an 18-wheel tractor-trailer from a couple states away. Legitimate mail servers had to communicate with the backup MX.
If most spammers ignore the backup MX, but legitimate senders respect it… what if you turn off the MTA listed in your primary MX?

I might even finish this book tomorrow.

35: The Day’s Third Hogshead

Here’s a snippet from my forthcoming Letters column for the FreeBSD Journal.

While “no” is sufficient answer to your question, the Journal editors insist that I respond in more depth so that they’re not left with blank pages. I don’t understand why they don’t simply cover that space with advertising, especially as I was not officially informed that the sales department is on a week-long gelato cruise that I was not invited to, but I suppose amateurs and hobbyists have a right to develop their meager skills without my presence highlighting their inferiority. (The trick is to eat through the dairy coma until your pancreas transcurses its fleshly limits, and understanding that water breaks are not only for cleansing the palate. If your undisciplined palate can still differentiate flavors after the day’s third hogshead, that is.)

Your problem distills to finances. Once you involve business, everything distills to finances. Those cozy leaders you worked for? Their kindness was either a ploy or weakness.

I’ll be Kickstarting a six year collection of these columns this summer.