Blog

30: The Expected Heat Death of the Universe

Grinding hard on Run Your Own Mail Server.

Modern DKIM uses 2048-bit keys. With current mathematical understanding, they are not brute-force breakable before the expected heat death of the universe. Modern cryptographic algorithms don’t fall to brute force, however. Mathematicians nibble at them, discovering weak point after weak point until, eventually, someone figures out how to break them in a reasonable time. Computer speed might not be accelerating the way it did a couple decades ago, but processing power is far more accessible than ever. Every year, any definition of “reasonable time” encompasses more and more processing power.

Will your key be broken? Probably not.

Is your organization a target for intruders? Does you handle money or personally identifiable information? Are legal stormtroopers likely to loom over your world and blast it into a billion shreds? If so, rotating your key every year or so is a respectable item on the list of things you do to convince auditors that you’re taking sensible precautions.

You still have time to sponsor this. Some time. The start of a book is slow, but the end is often an explosive implosion.

Posted on

Terry Pratchett Discworld Bundle vs DRM

Terry Pratchett was one of the most brilliant writers of the last hundred years. I own everything he ever published, in print, a worthy investment of several feet of precious shelf space. Tattered SFBC hardcovers from the 1980s with feebly-glued pages covered in faded dust jackets, battered paperbacks smuggled from Canada, spiffy hardcovers from when the world realized his work was amazing. I have it all. (If you’ve never read Pratchett, Wikipedia has a handy flowchart to help you decide where to start.)

HarperCollins launched a Terry Pratchett Discworld ebook Humble Bundle. You can get all the Discworld novels for $18, minus the oddities like “The Science of Discworld.” I’ve been waiting for an ebook bundle like this. I naturally grabbed it.

BUT–getting the actual ebook files is a right pain.

HarperCollins is one of those big publishers that think everything needs DRM, and they came up with a convoluted dance to comply with it. Sort of.

The books are delivered via Kobo. You don’t need a Kobo account, although if you have one that’s dandy. You can download the books, except what you download isn’t the book. You download an Adobe DRM file, usable by Adobe Digital Editions. Open that file in ADE, and Adobe sends you an unencumbered epub.

I had to switch to the Windows machine to do this. ADE is so clunky, halfway through downloading these 38 books I had to reboot the whole computer. Then I passed them through Calibre’s DeDRM_tools plugin to get the actual files.

Pratchett is worth it, of course. But he deserves better. And so do we.

If HC wants to compete with stolen ebooks, they need a better system.

My web store does not do everything I would hope. Ideally, you would give me money and the epub would appear on your device automagically. But at the moment, “give me money and get a link to the epub” is looking pretty dang good.

29: I Find Your Lack of DMARC Disturbing

This book is going to get me hate mail from DMARC advocates, but otherwise I would get hate mail from users. Users win.

If you don’t publish DMARC records, spam detection systems evaluating your messages will say, “I find your lack of DMARC disturbing.” That increases the odds of your messages plunging into the spam folder. But what should you do about reporting, mailing lists, and so on?

If you are running a mail server truly for yourself and you don’t use mailing lists, or if you know none of your users will ever sign up for mailing lists, you could safely deploy aggressive DMARC policies. Start in reporting mode with a “none” policy, and increase strictness when the reports you receive say you can.

If you use mailing lists regularly, you’ll still need a simple DMARC record. Search the initial reports for weirdness, and chase down any unexpected senders on your systems. Once you confirm everything works as expected, check them maybe monthly and get on with your mailing lists.

You’re running out of time to sponsor this book. I know I’ve been working on this thing for a year, but I mean it. Really.

Posted on

Blog Archive

For a few years now, I’ve wanted a date/title index for my blog. I searched for a plugin to do that easily and simply, and couldn’t find one. I hired an earnest flunky to do so. He couldn’t find one either. I decided to live with the current situation, and stop wasting my time searching for a tool. But every so often, I’d search again anyway. Find nothing. Remind myself to stop wasting time.

A couple days ago, one such search turned up Simple Yearly Archive. Which is on release 2.2, and has been around for years.

Anyway, the blog now has an archive page under the “Blog” menu.

This whole incident has reminded me that search engines are useless. It has also trained me to waste time.

Posted on

December’s Defiant Sausage

This post went to Patronizers at the beginning of December, and the public at the beginning of January.

The longer I run this thing, the more I regret calling a buck a month “See the Sausage Being Made.” Because it inevitably gets shortened to “sausage,” and that leads nowhere good.

Similarly, I shouldn’t have named that one level “Video Chat.” Obviously, it should have been named “Meet the Rats.”

And my web store should never have used the word “chapbooks.” That’s technically correct, but nobody knows what it means. “Short fiction”–everybody understands that.

Oh well, I’ll have to change all of these in my Copious Free Time. A clear illustration that it’s better to do everything correctly the first time, which means extensive planning, which means never accomplishing anything.

But here we are. Last month of the year, and not dead yet. On to what’s going on.

I contemplated doing a Black Friday sale. This year, the Black Friday sales were more numerous than ever. It was overwhelming, and useless. There is no way to penetrate the noise. If I do a sale, it should be for something like Sysadmin Appreciation Day. Or perhaps for March 24, National Gelato Day. Yes, it’s an Italian holiday, but y’all are global and I respect a people who know how to celebrate the important things in life.

I’ve dragged “Run Your Own Mail Server” up to the rspamd section, where it immediately stopped dead. Work hasn’t stopped, but wordcount has. Rspamd is the right solution and many folks use it, but the documentation is designed for people who already know the tool. It’s gonna take me a bit to pull the software apart and see how it fits together from a sysadmin perspective, rather than the developer’s. Why do I say it’s developer-centric? It’s configured in UCL, Universal Configuration Language. I love UCL. UCL is brilliant. It lets you write configuration files in several different formats, including a plain text format inspired by nginx.

Rspamd’s configuration examples… are in JSON. Sysadmins might know some JSON, we can probably read it, but we don’t routinely write it.

You’re not supposed to edit the configuration files by hand? Fine. But the docs take us through them.

And don’t get me started on redis’ official docs. The first part I stumbled across was well done, which set artificially high expectations for the rest.

It’s not just these projects. The problem is endemic across the entire industry.

I guess that’s why y’all back me. I rage at basic software so you don’t have to. You can save your raging for higher-level software.

Rage is also why I write the orc stories. I got the baseball story I owe the orc Kickstarter backers written. It’ll go to copyedit this week, and then to my backers. Yes, y’all are my backers.

Speaking of stories, my Christmas tale Heart of Coal comes out today. I never knew that my life needed the phrase “tell Santa to stick it up his ho-ho-hole” in my life until I wrote it. Anyway, we’re just short of the Longest Dark when orcs traditionally exchange gifts, like meat and rocks and stuff, so I’m offering it to all my Patronizers. Grab a copy from Bookfunnel. As usual, this is for y’all so please don’t share.

I spent a fair amount of time on BSDCan this month. Sponsorship, the CFP system, and the web site all collided simultaneously. I wound up spending a few days in Dan Langille’s 2004-era PHP to get the site updated for 2024. Dan’s code is fine, for 2004-era PHP. I know perfectly well that the number one rule of completing projects is to do the hard part first, yet I let my committee relax about getting the infrastructure ready. I’ll have updates over at the BSDCan blog in the next couple days. I don’t intend to permanently chair the conference. Dan and I are both getting older, and we need to hand these responsibilities off to folks a few years younger. Plus, I have a whole bunch more books to write. Unfortunately, there are few people in the community who could lead the effort to split Dan into multiple parts. Once that’s complete, anyone who knows how to treat colleagues with respect and negotiate can serve as chair. I’m tempted to say “there’s got to be at least, oh, three folks in the BSD community who could do that” but the truth is, there’s a whole bunch of them.

It’s December, and that means I’ll have the usual all-Patronizer hangout. Everyone’s welcome. This year it’ll be in the evening, at least for me, so hopefully folks who haven’t been able to attend before can. Sorry Europe, gotta mix it up a little. I would like to declare that this was the result of deliberate planning rather than screwing up the morning/evening alternation earlier in the year, but that would be a lie.

I hope to see a bunch of you there. Until next month!

Posted on

2023 Income Sources

Here’s where my income came from in 2023. (For newcomers, I’ve done these posts for the last few years.)

I’m a writer. My income comes from writing books and making them available. I publish both independently and through publishers. I don’t consult. I don’t seek out speaking fees. I desire to make my living as an author, creating and licensing intellectual property. I make my books available in every channel that offers reasonable terms.

Whenever I share actual dollar figures, people inform me that I can’t possibly be making that much, or that I don’t deserve to make that much, or demand I share “the secret.” The first two are not worth my time, and I’ve been trying to tell everyone the dang secret for years: keep writing, with an attitude of deliberate practice. Nothing productive can come from such discussions, so I don’t say.

How did 2023 look?

My income was flat with 2022 and 2019. While the Great Locked Inside Reading Surge of 2020-2021 supplemented my emergency fund, my income is back at its baseline. I’d like more, sure, but I have achieved Enough. Not bad for a year without many books.

Here’s the detail.

Amazon – 28.87%
Trad Pub – 17.55%
TWP direct sales – 15.29%
TWP sponsorship – 12.00%
TWP patronizer – 7.42%
IngramSpark – 5.54%
Kickstarter – 5.46%
Patreon – 4.56%
Gumroad – 1.53%
Apple – 0.70%
Kobo – 0.50%
Google – 0.37%
Draft2Digital – 0.17%
Aerio – 0.03%
Barnes & Noble – 0.01%

Can I draw any conclusions from this?

My web site (TWP, or Tilted Windmill Press) is again this year’s star. The combination of direct sales, sponsors, and my homebrew Patreon is 34.71% of my income, a couple points over last year. It’s built on Woocommerce with a handful of commercial plugins that total about $600 a year. My business goal is to get folks to buy directly from me rather than retailers, so I’m content but not satisfied.

Amazon is at 28.87%, down a couple points from last year. There’s reasons for that. They don’t have rights to distribute my newest tech book on Kindle. They’ve retaliated by deprioritizing the title in their listings. I’m not crying; I consider Amazon a discovery platform, an entry point to the Reader Acquisition Funnel. I neither love nor hate Amazon. They’re merely a retailer who offers a nonnegotiable take-it-or-leave-it deal. I accept or reject that deal on a case-by-case basis. Losing them as a channel would send me back to the “yellow zone” emergency budget, but we’d survive just fine.

Kickstarter is down, but I only ran campaigns for short story collections. My private Patronizer program grew a point, but that’s a wobble not a trend. Traditional publishing income is up, thanks to a Humble Bundle.

Then there’s the “below two percent” retailers. Gumroad, because they handle VAT for European readers. I want all the readers and Apple, Kobo, and Google serve readers other retailers don’t reach. They’re small, but those nickels spend. Unless things change, this will be the last year I report Barnes & Noble. I spent many happy hours in the 90s and the 00s wandering their aisles and I would like them to be successful for old times’ sake, but they’re just not managing it and their numbers depress me.

Here’s what the last five years have looked like. I have excluded the tiny channels.

It’s hard to call most of these lines “trends.” If you aggregate the various options from my web site, though, you can see a couple things.

Having fewer entities on this graph makes a couple things clear. I dislike that IngramSpark is shrinking year over year. I use IS to fulfill non-Amazon paperback orders and all hardcovers, so this is either an indication that either brick-and-mortar bookstores are struggling, or that I haven’t released a “hit” in a couple years. Which is it?

It also shows that my direct-to-reader business efforts are working. Readers are willing to do business directly with writers. They like supporting individual authors.

What does the swell in trad pub mean? It means that I need multiple sources of income. I have no way to control which business partner will prosper and which will pull a Wile E Coyote. No matter what, I must be able to pay the mortgage.

How much do I make off of sponsorships and Patronizers, as opposed to retailers? Fair question. Let’s see.

After a few years of growth, the non-retail income is down. Sponsorships and Patronizers were up, but Kickstarter was down (again, because I didn’t run a big one). The vital lesson here is:

if I don’t put broadly interesting product in front of people, I don’t get paid.

Now that I’ve shared the secret, it’s time to double-check last year’s expenses. Income is great, but it’s expenses that destroy you.

28: A Griddle Big as the Sky

Declaring the existence of something is a way to make me finish them. Here’s a chunk from the Giant Unnamed Fiction Project.

Weirder, Liberty could see Monterey’s face. Not much. But more than he had all night. A pallid glow from the east outlined Monterey’s angular chin and sharp nose. Distinct shadows filled his deep-set eyes.

A blotch of light marred the eastern sky.

Curiosity tugged Liberty to his feet.

The blotch cast a halo of shooting stars, radiating in all directions.

“Do you hear that?” Dreg said.

Insects buzzed. Something small rustled through the corn.

The fuzzy light was enough to see Monterey’s head shake.

Liberty was about to say no when a high-pitched whistle tickled his ears. More of a warble. Maybe a buzz? No, each second it picked up new notes, new resonances. Fingernails on slate. The grumble of a great engine, like the River Rouge Water Wheel but a thousand times bigger.

The hiss of water dropped on a hot griddle, if the water was the Detroit River and the griddle big as the sky.

Now that you know this thing is half finished, it’ll hopefully push me to get it ready to kickstart before 2025. Doable, barring debacle.

27: Obviously Forged

Here’s another chunk from Run Your Own Mail Server.

Ideally, sysadmins want all the messages from their domain to conform to the highest possible standards. They intend to sign everything with DKIM, and publish SPF records that contain every host that might possibly send mail. Anything that doesn’t have perfect alignment is obviously forged and should be unilaterally discarded. Anyone who’s worked in computing more than a week understands that they missed something, though. Some critical system sends mail from its own hostname rather than the domain, or there’s that weird host system sends mail only when the Galactic Senate starts its decennial session. DMARC deliberately allows a soft deployment. You can publish fierce policies that require strict alignment of SPF and/or DKIM, but ask that failures be reported to you rather than discarded. Use the failure reports to find deployment gaps. Eventually the failure reports will stop coming and you can ask others to quarrantine or even reject noncompliant mails.

The light at the end of this book is clearly visible, and I can even hear the train approaching. Yay!

26: It Can, But Doesn’t

Still hammering on Run Your Own Mail Server.

If you’ve worked with signing protocols like OpenPGP, you’re familiar with digital signatures. You take a chunk of data and sign it. Any alteration to the file invalidates the signature. You might be expecting DKIM to work the same way. It can, but doesn’t.

Traditional mail software has been free to rearrange messages if the programmer thought it necessary or correct. This might include adding or rearranging headers, substituting one kind of whitespace for another, trimming trailing whitespace, transforming line wrapping, and more. Any of these changes invalidate digital signatures. Complicated mail systems might pass messages through multiple MTAs before they reach their destination. Those systems are often from different vendors who each interpret the standards uniquely. Some older so-called “email firewalls” mangled messages to achieve what they branded as “security,” and a few of these systems are still

If you enjoy watching me suffer from cryptography poisoning, you can still sponsor this book or follow the carnage on a few social media platforms.

If you enjoy watching me suffer from cryptography poisoning, you can still sponsor this book or follow me on a few social media platforms.

25: Shoes with Wheels on the Heels

Here’s a snippet from this month’s FreeBSD Journal Letters column.

System administration in a modern enterprise is like performing an oil change on a vehicle doing a hundred and twenty down the freeway. 120 miles an hour, or kilometers, you might ask? When you’re lying on your back on one of those oversized mechanic’s skateboards, clenching the oil wrench in your teeth and wishing you’d worn shoes with wheels on the heels so you wouldn’t have to work quite so hard holding your legs up, it doesn’t matter. Occasionally the driver gets bored with weaving between desktop users guilty of the unspeakable crime of Using The Road While Obeying The Speed Limit Even Though I’m A CEO, so he sideswipes a pothole just to hear your skull bounce off the transmission housing. Wear a helmet. When the oil change is complete, you get to change the spark plugs and flush the coolant. From below, of course. Raising the hood would impair the driver’s vision, and you can’t possibly interfere with the corporate mission, whatever that is.

The .0 release is a metaphorical tire change, that’s all. The trick is to wait until the driver claims there’s a stretch of smooth road ahead and to place the jack snugly between your knees.

No, I’m not cynical about this business. Not at all. This is how it is.

The first three years of this letters column are collected in Letters to ed(1).